
What I Wish I Knew Before Studying Computer Security in College - cddotdotslash
http://blog.matthewdfuller.com/2013/09/what-i-wish-i-knew-before-studying.html
======
mhartl
Another thing to know is that _computer science_ != _computer programming_. In
some cases, students can get through four years without becoming _really_
proficient in any one language, and can largely escape things like version
control systems. It's probably going to be up to you to learn those things on
your own.

~~~
buyx
And when computer science academics try to do programming, they often get it
wrong. Having been academically sucessful during my undergraduate degree, but
sidetracked by my career, I was recently looking at a prospectus for a one
year post-graduate (honours) degree from a South African university, and,
although their coursework seemed appealing, they have a _strictly_ waterfall-
based year project. They go to some lengths to justify their position
(presumably they have been challenged on this) by claiming it conforms to a
British Computer Society model. I doubt many programmers who have done real-
world programming give a rat's ass about methodology prescriptions by the
British Computer Society, but those who pursue the degree grit their teeth and
bear it, or are put off, and don't bother pursuing it. I fall into the latter
group. If many more prospective students with real-world experience share my
opinion, all it does is isolate the academics and prevents them from learning
more about the real world.

~~~
kabouseng
University coursework always lags industry best practices, so this isn't
really surprising. Furthermore, the South African industry requiring degree'd
software engineers almost all still follow a strictly waterfall process, being
mostly the defence industry following DO-178 processes. Other firms not in
defence also mostly have fixed features / cost contracts they are developing
for, which fits the waterfall model of development.

~~~
buyx
_Furthermore, the South African industry requiring degree 'd software
engineers almost all still follow a strictly waterfall process, being mostly
the defence industry following DO-178 processes_

Interesting, I know one programmer who worked in the SA defence industry, and
was later retrenched, but that's just anecdotal. Do you have a source for this
assertion?

 _Other firms not in defence also mostly have fixed features / cost contracts
they are developing for, which fits the waterfall model of development._

I have to disagree with this, but since the "waterfall"-versus-agile debate
has been done to death before, I won't rehash it here.

 _University coursework always lags industry best practices, so this isn 't
really surprising._

This is an honours degree from a brick-and-mortar university, so the
curriculum lag argument is a bit weak. I understand that an undergraduate
degree being taught to hundreds of students may take some time to be updated,
but at post-graduate level, I would expect a bit less dogmatism. Come to think
of it, during my undergraduate studies, about 10 years ago we learned about
agile methodologies and iterative development.

~~~
kabouseng
No I have no source, only my own experiences. I have a couple of friends /
colleagues / class mates working in various sectors of the industry. Saab,
Denel, Armscor represents my comments on the DO-178 work. Saab actually
implements scrum, but from my understanding it is more like scrum bolted on to
waterfall :D. I have also been in a couple of interviews lately, specifically
at ATE / Paragon, C-Track, Grintek and RapidM. All basically have the same
Waterfall methodology.

Now I was careful to state that it is the case with businesses requiring
degreed engineers. Web development shops in SA probably follows a more agile
approach, the only one I know of, Entelect for instance is fully agile as far
as I can tell, but I don't really know anybody there.

It could also be that only me and my network is experiencing this, it is all
anecdotal, but then again, I doubt there is some kind of study that can give
you a better picture.

I am based in Centurion in case you were wondering.

Also its not about if Waterfall / Agile is best, its because the contracts are
generally setup with fixed deliverables, which suits waterfall best.

Lastly even with honours degrees the curriculum is set, and the professors
aren't too keen on changing it too often.

------
temuze
I think learning Computer Security without learning some programming and
systems is like majoring in mechanical engineering while trying to avoid
physics - it's hard to get a deep level of understanding and you rely on
generalizations and abstractions.

How can you truly understand a buffer overflow attack without having some
knowledge about pointers? Kudos to taking the time to try to understand as
much as you can about your field.

~~~
meowface
Completely agreed.

You can't expect to be competent at information security / computer security
without being at least decent at programming. There are many different kinds
of concentrations, like application security (which could be native code or
web apps or both), network security/defense, penetration testing, forensics,
etc.

Programming can play a big role in all of those, though. Everyone should have
a good fundamental understanding of assembly and C, good knowledge of at least
one scripting language, and an ability to write and test web applications.
Else you're either doing some really specialized work, or more likely, you're
a beginner and/or incompetent.

------
szc
As a, possibly self proclaimed, security expert I'm not particularly impressed
with the blog posting. Why? The premise is that Computer Security is a
pinnacle and now the protagonist is looking back, it looks a bit lame and has
a feeling of being duped!

In the posting you could probably replace "Computer Security" with any other
vocationally targeted course. So let's pick "Competitive Baking". Baking is
hard (seriously, try it yourself), you need to achieve consistency, be
meticulous with picking the ingredients and develop a reliable process. Nobody
is just going to give you the recipe so you can say "I'm the best" (apologies
to Peach).

Specialized, "getting you ready for the industry" courses developed and taught
by an academic isn't going to make anyone satisfied or achieve excellence. The
academic probably hasn't worked in the industry (in the USA they've probably
spent lots of their time trying to get tenure) and, when developing the
course, was just projecting what they thought a "real job" would entail. Most
academics will not have the experience to do that. This is alluded to in the
blog entry (point 2.) where programming was required for an internship. The
tone suggests that this was a "surprise".

In the real, non "Ivory Tower" world of computer security, programming is
required. Computer security requires creating new or changing existing
programs.

If you are just coming out of college, hiring managers are looking for what
you can do in the _future_. Experience is something someone can bring to the
table NOW, college grads are unlikely to have that experience. So, if you have
a broad and comprehensive understanding of the fundamentals; all the hard
theoretical computer science things, you will have an outstanding base from
which to build on.

The other path to a job is by savants who get their skills by doing (and
demonstrating) and figuring it out themselves. Savants are rare.

In the end, it is all about what you add to the frosting on the cake. (see
baking above. The cake is not a lie).

------
klt0825
2 is particularly relevant and more than solid grasp of CS is required
depending on what you choose to do within the field. Malware Analysis for
example can require understanding data structures, calling conventions, x86,
compiler internals, etc.

Security is actually one of the few fields where I think you see a really
interesting mix of theoretical and applied CS. Things like complexity theory,
formal program analysis, etc pop up quite often.

------
tsumnia
The biggest suggestion I can give to students in CS is to find a focus (like
this link was Security). Without that, after graduating with your Bachelor
degree, you won't have a specific interest. If its academic and you're really
interested in neural networks, awesome, latch onto a professor with that focus
and never let go; if its more outside the box like audio manipulation (as one
of my colleagues did), go crazy and join a community with that focus.

I personally went for my Master degree because I really didn't feel like I'd
found a purpose to my CS degree. I KNEW programming, but had nothing driving
me. After grad school and a startup, I now know my interests are embedded
systems and image manipulation.

~~~
jmspring
I'd just add take a few classes outside your chosen field (and required
courses) in an area of secondary interest. You get acquainted with different
people, get a different perspective, etc.

My main undergrad was actually originally BioChem, which I flipped over to
straight Chemistry and added Computer Engineering because it was easy. I never
worked in the Chemistry field. I threw in Lit and Politics classes (upper
div/grad level) just to meet and discuss different topics with different
groups of people.

All too often if you pick an impacted degree, need to take lots of the same
classes with the same people, and are spending all your time on that subject
you will miss out.

~~~
tsumnia
I almost suggest having a different interest and taking CS courses to
compliment it. CS is generic enough that without something else that you can
use it on, it seems pretty bland.

------
kabisote
> The rate at which technology is changing is absolutely insane.

By the time you graduate, most of the things you learned are obsolete. My
advice is to grok the fundamentals, the concepts that don't change. Then
absolutely learn to use Google.

~~~
droidist2
I hear this a lot, but it seems like the most commonly used languages are all
around 20 years old (with C, C++ being even older).

I suppose if you went to college in the mid-90s this may be true since you
would have seen the invention of Java, JavaScript, and Ruby.

~~~
kabisote
I can't see why seeing the invention of a language is significant in this
respect. Schools are worse at keeping up their curricula with new technology
(at least where I live), so if a language were invented while you're in
college, I don't think that language will be taught while you're there.

I went to college in the late 90s through early 2000 and we were taught
(introduced would be more accurate) Pascal, C++ and Visual Basic. When I
graduated, the language in demand was PHP.

~~~
droidist2
I think in the late 90s / early 2000s the big language to teach in university
was Java, which is still basically true today.

As to the invention of a language being relevant, it's only relevant depending
on how you define a previous language as being "obsolete." I was trying to
play devil's advocate with my own point, and concede there may have been times
in history when a lot was made obsolete during a 4 year period. The industry
isn't really any swifter than academia though, which is why we still use 20
year old languages.

------
dr_doom
How can a working developer transition to security? Just apply to 'security'
jobs?

I've been reading a lot and managed to complete a couple of those exploitation
wargames and hack some web apps but am in a completely different domain.

~~~
m0nastic
It really depends on what type of security you want to be involved with. If
you're interested in appsec (which I think is infinitely more interesting than
network security, but obviously, other's opinions will differ), then web
security is a good place to start.

I've spent the bulk of my career doing application security work, so I have
less advice to give about other aspects of infosec (which like the article
says, really is a large field).

But, (and this is fairly generic advice, received from a disembodied pseudonym
on the internet) you can do a lot worse than just picking up a copy of the Web
Application Hacker's Handbook, download the free version of Burp suite, set up
a VM and install some old versions of popular CMS's (or bulletin boards).

EDIT: Here's an old comment by tptacek that recommends something similar for
starting out (so at least two people recommend this):
[http://news.ycombinator.com/item?id=5266939](http://news.ycombinator.com/item?id=5266939)

I don't find a lot of value in CTF's (again, other people obviously feel
differently), and I disagree with the other person who recommended you go to
Blackhat.

Security conferences can be great, but I wouldn't go to Blackhat as your first
(I actually wouldn't go to Blackhat unless your work was sending you, or
you're speaking there). You can't throw a rock without hitting ten security
conferences nowadays, so I'd start with ones more local to you (which will
have the added benefit of having attendees who are also more likely to be
local to you).

Based on your HN profile, it looks like you might live in Austin? If so, there
are plenty of companies hiring security folks (actually, almost everywhere
there is a crazy unmeetable demand for security professionals).

If you're a developer, you've already got an advantage over 95% of the people
working in Infosec. That sounds like an exaggeration, but people seem to have
a hard time understanding the disconnect from the relatively small "hacker"
community and the much much larger corporate world where "senior pen testers"
don't know how to do anything above and beyond kicking off a network scan.

I'd like to think that the appsec world is a little more advanced, but I think
that's just me rationalizing. The bulk of people doing corporate appsec work
(by which I mean consulting) are just running WebInspect (or something
equivalent). That's why if you spend any time in the infosec community, you'll
hear countless tales about how difficult it is to hire good people.

If you have any specific questions, or just want any advice, feel free to
email me (my email is in my HN profile).

------
tomfakes
#5 will never go out of fashion. Lots of technology changes quickly, but being
able to communicate with your peers and stakeholders (the people writing the
checks) is a key skill that you will use for the rest of your life

------
chm
"While coursework is certainly important, there is so much more to experience
in college than just going to class and returning home. Take advantage of the
discounts and offers you get as a college student (including many security
conferences). You have just about four years to shape the rest of your life;
remember to shape it evenly."

I've just finished my B. Sc. and I wish I had understood this before. I wasn't
an straight A's student, but I definitely could have spent more time
socializing.

------
rdl
The idea of a "computer security undergrad degree" is pretty silly; I'd expect
it of a 2-year for-profit school like DeVry or maybe University of Phoenix,
not a real 4-year school.

It's great to have some courses in various parts of computer security, but
being a good _developer_ is a better entre into appsec, and being a good CSE
and thus going into networking (ideally, through a combination of vendor
training and hands-on; it's more an ops thing than a pure architecture thing)
is a better way into netsec. EE for hardware security. etc.

I don't actually know of any non-crappy schools with a "security degree".

~~~
bluedino
I was wondering what a 'degree in computer networking' consisted off. Entry
level Cisco and Microsoft certs and then sending you on your way?

------
vacri
On #6, I remember doing an evening 'sysadmin' course many years ago with some
friends. The class notes were for the previous major release of BSD than the
one we were using, and the instructor was useless. When asked about a problem,
he'd just stand there going 'hrm' until you figured it out.

The three of us learned more from trying to follow the class notes and
figuring out our way past the breakages than from the actual structure of the
class itself.

~~~
wolfgke
> The class notes were for the previous major release of BSD than the one we
> were using

The fundamentals should barely change from version to version (indeed: many
command line tools under UNIX are decades old - which - of course - does not
mean that they are bad). So if you learn them with the previous version, it
should be really easy to get the small differences to the current version.

------
adamnemecek
I can't really imagine anyone actually believing #2.

~~~
phaus
I can't imagine the existence of a security professional who hasn't already
met someone who does.

They are out there, and it's nearly impossible to get them to understand why
they remain in entry-level positions for so long.

~~~
andrewflnr
They don't get that to break programs, you have to know how to make them?
While I'm here, what do you do in an "entry-level security" position that
isn't programming, anyway? Firewall configuration?

~~~
phaus
As the article stated, the field of security is huge. According to NIST, there
are over 40 sub-specialties.

The example that immediately springs to mind is a low-level CND position.
Sure, the ability to program would make you a better CND analyst, but we have
already agreed on that.

And they don't understand, no matter how many times they are told, that you
have to know how an attack is executed in order to defend against it.

------
aet
#12 Don't hook your computers to the internet.

------
bayesianhorse
I am taking the computer security classes from coursera, which are pretty
interesting and well taught. Strikingly however, almost all of the people
visible in the videos have a really high BMI and seem more stressed than I
would expect. I wonder if computer security is one of those fields with
extremely high stress levels...

~~~
droidist2
"An intruder only has to find one way in, you have to find all the ways in."

~~~
bayesianhorse
Yes, but he's not going to break into your office and knock you out...

I guess the social interactions and the emotions about being attacked
contribute to a higher than average stress level. The emotions will be
heightened by stakeholders in your organization who look and behave a lot more
likely to knock you out or do some other harm to you.

------
maxander
I'm pretty sure that all of these points still apply if you substitute
"computer security" with any other sub-field of computer science.

In particular, internships! I've learned the hard way that these are very
important. Don't plan on having summer vacations free to do things, that's a
thing of the past.

------
drakaal
I know what I wish I had known before taking my first CS Class.

The real money is in Management, and the girls are cuter in the business
classes. (Please don't flame me I know there are plenty of cute girls in CS,
there were 3 girls in my class of 600. So they were there but they were too
far away to tell if they were cute)

~~~
eugeneross
3 out of 600? Damn. Slim pickings, aye?

~~~
selmnoo
In my computer engineering class of 250 students, there was only one girl (the
class of one year prior had 0 girls) - and this was after aggressive
affirmative action programs to attract more girls.

Honestly I just felt sorry for the poor gal, she always seemed very
embarrassed being the only girl in the class, as if she made the wrong choice
by being there or something.

It often made me wonder, should school administration be actively thinking of
the social dynamics that play out with this kind of imbalance? You're going to
have a few frustrated boys in a situation like this... and a few exhausted
gals (they have to say 'no' often). What do you do, if you're in that hot
seat. Do you worry about these things, or do you keep trying to admit new
students purely on a merit basis?

~~~
onedev
I agree it's a very tough situation for everyone involved, and there seems to
be no good short term solution to this issue. The only thing that can be done
is to create long term interest in Computer Science among girls and to support
the decision of those girls who've already decided to try CS.

What's interesting at my school is that there are more girls even in
Electrical Engineering than in CS.

So this means that CS truly has the most messed up girl/guy ratio probably out
of ANY major at my school (it's a huge state school too)

As a guy it's frustrating because it creates a barrier to easily meeting girls
in your major, an advantage that many other people have. I can rarely work on
my school assignments with girls, or talk about common classes with girls, or
anything similar to that kind of interaction that should exist within each
major.

Sure, I'll make 6 figures guaranteed when I graduate, but at what cost? I
really do love what I do though so the passion for that encompasses all. Yet
at the same time it'd be foolish to ignore issues like this and pretend
they're not a problem, because they definitely are.

~~~
yareally
Though we're getting pretty meta from the main topic, I think part of the
problem are parents that don't encourage their daughters to go into hard
sciences and engineering more. Until parents abandon some of the long held
stereotypes of roles and jobs that boys and girls should have when they grow
up (as well as the type of toys they should play with), it's going to be a
struggle to find more of a balance in many of the hard science degree programs
and careers.

Computer Science and Computer Engineering sadly end up being viewed in the
same light for boys as Nursing is for girls. That is, there is a long standing
cultural notion in the United States that girls are supposed to be nurses and
boys are not, despite how silly that all seems. It's even more perplexing,
since many of the early computer scientists were women, just as many of the
nurses starting in the 19th century were founders of their modern profession
(with the Crimean War and the American Civil War).

Institutions may try to shape and encourage change, but it comes down to the
parents understanding that roles and jobs should be independent of one's
gender and reinforcing that notion in their children. Especially in the United
States where parents play a large role in the intended degree of their
children because they are generally expected to help pay for part of the
tuition. A school may suggest a degree for a student, but in the end, a parent
may be the larger factor in a student's degree choice.

~~~
Apocryphon
That's not entirely true, as there are plenty of women in the life sciences
(unless we were to spark an internecine war within STEM by claiming that bio
and medicine aren't the hard sciences). Anecdata seems to show that there are
also more women in physics, math, and other engineering such as civil or even
mechanical and electrical than there are in CS.

One possible cause may be the traditional nerd stigma that afflicts CS. In
recent years it's broadened up, though ironically now there's a small fratty
brogrammer subculture in CS. (Though not in academia, I feel, but in the
startup industry that follows.)

~~~
yareally
I know there's more, but the numbers are still far from even in many hard
science & engineering degrees. I started out in Civil Engineering and even
there, the ratio of guys to girls was scarcely better than when I transferred
to Computer Science (this was in the few degree specific courses I took as
well).

I do consider Bio and Medicine to be hard sciences and you are correct the
gender imbalance is significantly less than some other science fields.
However, it seems to be more acceptable in American Culture for parents to
accept their daughters going into those types of degrees perhaps due to the
relation to traditional career paths women have gone into (such as nursing).
If that's true, it's rather sad and hopefully such preconceived notions die
out in the near future.

I'm curious though as to how many female students end up going into Computer
Science or Engineering because a family member or parent was in one of those
fields. I have a few female friends either pursuing or have obtained a degree
in Computer Science and each had at least one parent that was in a related
field.

