
Ask HN: How do you start a career in software security? - chrbarrol
I am close to finishing a Computer Science degree and while I find software security really interesting, I have not been able to find any company hiring graduates for positions that specify working with software security. Is software security just something you stumble into later in your career?
======
alltakendamned
Security consultant checking.

Candidates with some form of experience are often preferred. But the beauty of
infosec is that that experience can be pretty much anything, it does not have
to be relevant work or school experience.

Have some bug bounties, CVE's or exploits to your name, you'll get an
interview. Have a certificate like OSCP to your name, you'll get an interview.
Do writeups of Vulnhub machines and that might even be good enough.

But what seems to be the common theme among security people in nice jobs is
that the effort came from them. They were self driven, this is what they do,
regardless of whether they're paid for it. And the reason is simple, this is a
fast moving job, which often requires additional study and effort on a daily
basis. So show that you have this quality and take a very active approach to
the start of your security career. It should work, everyone is hiring.

~~~
howlett
> Have a certificate like OSCP to your name, you'll get an interview.

That's the way I personally moved to security and can't recommend it enough.
It's a bit expensive but you definitely get your money's worth.

~~~
onetime_
In terms of security certificates, it is actually on the cheaper end.
SANS/GIAC have a lot of certificates but run much more expensive, like $5k+

------
dsacco
The reason you haven't found companies hiring graduates for security is partly
because security, like most specializations, generally skews towards more
experienced candidates, and partly because it's a relative niche.

I'm happy to help you via email if you'd like to get in touch. Practically
speaking, my advice would be to pursue bug bounties, read as much as you can
in the field and implement security measures in code to understand them
deeply.

Plenty of the large and reputable security firms are in an "always hiring"
state, even for graduates.

~~~
csnewb
I know this is a broad question, but what skill set are security firms looking
for in graduates/juniors? I have a year of experience in software development
on a security product, and have done some basic security vulnerability
assessments, but I'm not sure if that's enough to get hired somewhere else.

------
micaksica
I work in product security. Early in my career, I often did bug bounties,
CTFs/wargames, but I didn't really get into "software security" until I had
spent some years doing some large scale production-level software engineering.

Software security is a big space. There are pentesters, exploit developers,
researchers, application security people that work attached to product
engineering teams, et cetera. What is it that you really want to do?

IMO to really understand how to break things and how things break, you need to
be able to build things as well. Outside of very limited circumstances, you
need to be able to communicate to product teams and other developers why a
certain exploit class succeeded, what they can do to mitigate the issue in
prod now, and what best practices to follow to mitigate the issue class in the
future.

------
ecesena
If I were you, I'd connect directly with people working in security, either
security for a "normal" company or working for a security company.

I can believe if you say that job posting is slightly biased towards senior
positions, but I'm sure you'll find good opportunities easily, it's a very
specialized job and it's hard to find good people.

If you let managers (or hr) know that you exist, a position will appear.

------
btx
Being in a somewhat similar position (looking for my first 'real' job in the
field of security), I have more or less the opposite problem.

After setting up a profile on sites like Xing (works best for Germany) or
Linkedin and adding some relevant buzzwords, you get basically swarmed by
recruiters. The offers from recruiters might not be the most interesting, but
you still can use them to get some information and feedback.

Just show that you have a personal interest in security. For Example I have
myself participated in a bunch of bug bounties, hitting most of the big ones
(Dropbox, Facebook, Google, Microsoft, Mozilla, Paypal, Twitter, ...). While
finding big problems in the higher payed ones might be trickier, there are
always companies that just offer a thanks or some swag. An alternative would
be to look at open source projects and try to get some CVEs. Of course this
depends on what field of security you want to end up in.

------
JSeymourATL
> I have not been able to find any company hiring graduates ...

Don't search job posts online, you must go where the fish are. Start attending
live events, conferences, etc...

In Oslo, try OsloSec>
[https://www.meetup.com/OsloSec/?scroll=true](https://www.meetup.com/OsloSec/?scroll=true)

------
AnimalMuppet
For me it was, yes. For you, though, it might not have to be. Can you get some
security classes in your coursework? (Does your institution even offer any?)

~~~
chrbarrol
Luckily it offers two: Software security and cryptography. I have taken both.
Should also probably mention that I live in Norway, so my question applies
more to the European job market. Though I am of course interested hearing
experiences from anywhere in the world.

~~~
krestenjacobsen
I'm from Denmark and in a position similar to yours. I'm not newly graduated
but new to the "it security" field. What I do is that, I try to go to
conferences here in Copenhagen. Luckily my current employer endorses my
endeavour and even sponsors some of the conferences or let me use some of my
work time to attend.

But the point is I'm trying to get to know the field and the people in it.
It's a small community - at least in Scandinavia, so I'm trying to use the
human angle here. :)

(But truth be told I'm hoping to land a job at my current employer.)

------
jest7325
Don't be afraid to shake things or the industry but always stay on the bright
side. The line is very thin between: I am trying to help and improve security
in contrast with I am threatening you. Some people or Business could feel
threatened depending on the wordings used when approaching them.

