
Ask HN: How to get a job at cybersecurity? - abdelhadikhiati
Hey , I am graduated computer science student, I have experience developing android apps and some google appengine  backends ,lately i am interested in cybersecurity  , it sounds like a really interesting domain , and i want to know what learning paths should i take to get a job in this domain , since i assume my computer science background is different than pen testing ?? 
can you provide me resources (Books ,CTFs , Advices ) ? 
Thank You
======
sarciszewski
Why not give Matasano a call? Rumor has it they'll give you great book(s) just
for applying.

[https://news.ycombinator.com/item?id=8823260](https://news.ycombinator.com/item?id=8823260)

Also from Matasano: cryptopals.com and microcorruption.com

Offensive security lectures:

[http://www.cs.fsu.edu/~redwood/OffensiveSecurity](http://www.cs.fsu.edu/~redwood/OffensiveSecurity)

Other resources:

[http://www.binary-auditing.com](http://www.binary-auditing.com)

[http://www.enigmagroup.org](http://www.enigmagroup.org)

[https://www.hackthissite.org](https://www.hackthissite.org)

[https://www.vulnhub.com](https://www.vulnhub.com)

"Cybersecurity" is vague. What domains are you mostly interested? Crypto?
Network protocols? Applications {Web, Mobile, Desktop, Client/Server}?

~~~
jerematasno
As co-head of recruiting for Matasano/NCC US, I endorse this approach! Bear in
mind that we are pretty heavily focused on appsec, but of course for us appsec
includes kernel work, sandboxes, firmware, etc, as well as web, mobile, custom
protocols, desktop, client-server, etc.

~~~
abdelhadikhiati
am I required to study all these to be considered for a job at Matasano ? That
seems a lot of things ?

~~~
sarciszewski
I should probably have specified: I don't represent Matasano / NCC Group in
any way shape or form.

That said, I don't think you do. Your question is somewhat like asking if you
need to study every medical specialty to the bleeding edge of research to
become a general practitioner.

No, but any of them you master will definitely be a boon. :)

~~~
abdelhadikhiati
Thank you ,actually i was addressing the one from Matasano who responded on
your comment , Your advice is very helpful sir , thanks again .

------
m0nastic
For years I've tried to figure out good advice to this question, but I've
never been able to successfully articulate it. Here's attempt++.

There's two things that would be helpful to know before providing advice, and
they might not be things that you even know the answer to yet; but it's worth
considering.

First, what are your reasons for being interested in security. Is it because
it's a good job market? Or because you think it sounds cool? Or, god forbid
because you think of it as a higher calling? There's nothing inherently good
or bad about any of those three choices (except people who believe the third
one I find unbelievably tedious to be around), but it definitely effects what
advice I'd give. I'm going to assume it's the second one (based on the way you
worded your question).

Secondly, security is an ever-expanding field, and in particular, the domain
knowledge for each piece of it is starting to take up all available volume in
any person's individual skill-bag.

At the risk of somewhat oversimplifying, you can pretty much carve out a full
and successful career in infosec in any of the four fields: network security,
application security, incident response, general-purpose security
practitioner.

Each of those requires skills that are very different than the other 3, and
each can be a totally fulfilling choice to make (most of us have wound up in a
specific specialty and probably don't enjoy working in one of the other 3, but
don't let my or anyone else's distaste for one of them sway you).

Network security is what it sounds like. It's basically the people who do
penetration tests. At the bottom end of that field, it's the people who click
"run" on a Nessus scan. At the higher end, it's the people who come up with
interesting research around protocol vulnerabilities and exploits. Like any
field, the vast majority of people aren't at the high end. Without passing
judgement, Network security was the first piece of infosec to start to become
commoditized, thereby making it probably the least desirable from a financial
perspective. This isn't true at the high end, but then again, it's never true
at the high end.

It's probably where the majority of people start out, regardless of where they
end up. You can thank the mid-90's era of terrible system security and
compliance audit requirements for that.

Application security is probably the most applicable for people who have a
development background (although again, at the higher end of network security,
you are writing code, and exploiting other people's code). It started as a
field in pretty much the late 90's. My company saw the writing on the wall
that network security was going to become more and more commoditized and we
shifted our focus to application security. For most of my career, that has
predominantly been web application security. Other places do work on "native-
applications", embedded systems, etc. It really depends on the firm.
Application security has become more and more important as more and more of
people's lives have shifted to include doing things online. Again, not trying
to make a value judgement (although as someone who has worked mostly in
AppSec, I'm definitely biased), but it's where I would place my bets for at
least the foreseeable future career-relavence wise.

Incident Response has only really come into the limelight the past 5 or 6
years. It's been a thing since the 80's, but it was mostly ignored while
people tried to convince themselves that they could build secure systems that
would actually keep attackers out. The thinking around that has started to
change (although in some cases just as an excuse by security people to absolve
themselves of responsibility for doing a shitty job). Incident Response will
probably never go away, because it's sort of the existential reality of doing
business with machines that have to trust one another. Currently, it also
commands the highest premium money-wise (but those halcyon days won't last
forever).

Incident Response tends to attract the most "higher calling" people, so be
careful about that. People who enjoy it will try to sell it to you as being
"detective work", tracking down intruders, gathering evidence, and keeping
them out of your systems. People also describe tiny, rat-infested NYC
apartments as being "homey fixer-uppers".

Incident Response is usually the highest stress of any infosec job (although
that, like everything else I've said will vary from place to place). It's the
field most likely to wake you up at 3 am on a Friday morning and make you head
to the airport on no notice to go help someone whose network is currently
being lit on fire by undergrads at a research university for some foreign
country. Some people enjoy that pressure, and the reactive nature of the work
(you never know where you'll be going from day to day).

Lastly is "general-purpose security practitioner". This role is almost
exclusively someone who work in the security group at a company who has
nothing to do with security. You might think that it's a combination of all
the other roles (the Bards of infosec), and while that can be slightly true,
it's more the people who have to deal with all the non-technical parts of
security. Security within a company is mostly concerned with compliance,
audits, and policies. That's the stuff that the general-purpose security
practitioner works on. As part of that, they might occasionally run a Nessus
scan, or set up an application in WebInspect (or be woken up at 3am when an
incident occurs), but they will spend the majority of their day reading and
writing word documents, and having meetings with the marketing team trying to
get them to stop using Dropbox to send all their sensitive corporate documents
back and forth.

There's other variables too, like whether you work as a consultant, or work
for a security product company; but in general if you work in Infosec, you'll
be doing some combination of these four things. I haven't said anything about
cryptography, because really there's very little overlap between the crypto
industry and the infosec industry (to both of their detriment, I suspect).

I actually think anyone in Infosec would probably benefit from spending time
in all of those roles, not just to get a better sense for them, but also to
help challenge their assumptions. I also think security people can benefit
greatly from going between being a consultant (where you potentially help lots
of companies very little) and working internal to a company (where you
potentially help one company very much).

So my advice is figure out which of those things sounds the most interesting
and start down that path.

I don't really recommend doing CTF's unless you like doing CTF's (they have
almost nothing to do with anything you'd actually be doing in the field).

And don't get a CISSP unless you opt to work in the general-purpose security
practitioner field (even then, only do it if you have to). It's actually a
negative hiring signal at almost any place you'd actually want to work.

~~~
meowface
I work in security incident response and I can say this is all quite accurate.
Though usually the 3 AM call just involves a quick drive rather than a plane
trip, unless you work for a MSSP.

------
ramtatatam
Google for CISSP.

~~~
abdelhadikhiati
I know CISSP and i don't think studying for the certificate will give me the
skills needed to be a good security researcher

~~~
ramtatatam
Possessing that certificate is an entry requirement for many security jobs.
But from what you are saying you have already conducted your research.

~~~
sarciszewski
I know many people in the security industry who are willing to waive the CISSP
requirement if you have a CVE on your resume.

~~~
ramtatatam
Oh that sounds interesting, haven't come accross myself - thanks!

~~~
sarciszewski
They don't advertise this fact too much. CISSPs are a joke.

~~~
abdelhadikhiati
That was my thought too , i don't think CISSP has big weight in this industry
.

