
Ask HN: Should I become a security engineer? - isnetsecforme
I&#x27;m an undergrad majoring in Computer Engineering.<p>I&#x27;ve always been interested in security and love cryptography. I read up on ciphers, hash functions out of interest. I&#x27;m surprised when people say Keccak is the best but they&#x27;ve never heard of BLAKE2. I spend most of my day on a vulnerability whenever one is found, and why it happened. Whenever I write code, I consider malicious input from the user and take care to not let it break the application in any way. I have a mindset of simplicity rather than more features.<p>Is netsec the field for me? I can&#x27;t seem to find the correct job title. I&#x27;ve been looking at some Security Engineer jobs but most of them deal with network engineering only, and talk nothing about knowledge in crypto and assembly, or experience with Android etc. Although I love networking, I can&#x27;t find application oriented security jobs.<p>Where do I start looking? Where do <i>you</i> start looking when you want someone with a security mindset to test your application&#x27;s security?<p>PS: I&#x27;m looking for a summer internship so if you&#x27;re looking for an intern, I&#x27;d like to get in touch.
======
howlett
I think what you mean is security researcher rather than security engineer.

The easiest thing you can do is e-mail _all_ penetration testing companies who
can find near (or far) from where you live and ask if they are looking for
interns or graduates. Even if they don't advertise at the moment, there's a
good chance you'll get a positive reply, because the demand is greater than
the supply.

Most security companies have a research department which you'll be able to
apply for, after you've joined (at least in the UK such departments require
security clearance).

Also, having an OSCP or OSCE certificate will _definitely_ get you an
interview.

~~~
jpgvm
You definitely want to do OSCP if it's something you can afford to do.

Be aware however, it's not cheap nor is it easy.

Having your OSCP though will _definitely_ land you job interviews and will go
most of the way of landing the job itself.

------
JSeymourATL
> Where do I start looking?

Go where the fish are-- start attending conferences. Often the organizers wil
have a discount rate for students. Sometimes they'll offer free admission if
you volunteer at reception booth for a few hours. Being there in-person makes
a big impact, it's a signal you're serious.

Here's good list > [https://www.concise-courses.com/security/conferences-
of-2017...](https://www.concise-courses.com/security/conferences-of-2017/)

------
alltakendamned
If you want to do cryptography, it's probably easiest to get into it through
an academic career. Please understand it's quite a small field where the
amount of talkers largely exceeds contributors. Alternatively, start learning
and contributing to open source crypto libraries and projects, you'll meet
people who can help you.

It's funny you can't find application security job postings, most of the bread
and butter work these days is web, mobile and penetration testing. Get into
security consulting and you'll do this type of gigs till your fingers bleed.

I'd suggest you learn about security, there's plenty of good info and books to
be found and try to apply it instead of talk about it.

Good luck.

~~~
isnetsecforme
Thank you for your reply.

I'm not interested in getting into cryptography research since I find it too
theoretical. I agree with you about how it is a small field and I think I'll
have a very small chance to make a valuable contribution to _anyone_ if I get
into cryptographic research.

I think I'll follow your advice on contributing to OSS crypto projects. I've
used openssl and crypto++ but I've never really contributed to a real project.

Thanks again.

------
stuffaandthings
The best advice I can give you is to join a Security CTF team (your college
may or may not have one, but there are others that are open to all).

Internships and jobs will open up from being part of a CTF group. It's also A
LOT of fun* (*opinion).

netsec might not necessarily be what you're looking for. A position as a
Security Researcher is probably what you most fit into... finding the right
recruiter can also help you out a lot.

Another (and honestly, easier to get into) security industry is the public
sector. Intelligence agencies, military intelligence branches, etc. They'll
hire you based on personality and potential, and will train you further. This
(in my limited experience) usually means less pay.

Hope this helps. Good luck!

~~~
alltakendamned
I like your CTF suggestion. But finding a job as a security researcher will be
hard if you cannot show any experience.

~~~
stuffaandthings
You're absolutely right, but people are willing to consider CTF work as
experience. If you can go into depth how you solved a problem, no one will
question your conceptual understanding.

I think it's definitely easier if your interviewer actually knows what
security ctf's are.

------
crestedtazo
> I'm surprised when people say Keccak is the best but they've never heard of
> BLAKE2.

I think this is where you belong: www.reddit.com/r/iamverysmary

