
Ask HN: How to become a Security Engineer - zrpk
Recently there were some discussions about the Breaker 101 course, as well as OffSec and SANS certifications.<p>But it looks to me like there is no clear path on how to become a security engineer.<p>So what is your recommendation ? (from training&#x2F;formation to actually finding a job in security)
======
rjprins
Certifications are nice, but that does not necessarily make people a good IT
security specialist.

There is no clear path, but there are many facets to learn about:

* Web application security and popular attacks (such as [https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project)) * System and network security (learn to use BackTrack [http://www.backtrack-linux.org/](http://www.backtrack-linux.org/)) * Understand and learn how to use crypto: e.g. known crypto algorithms and what they are good for, learn how to apply disk crypto, learn how SSL works, know how you should do password hashing. * Learn about phishing and social engineering * Learn about malware, botnets, and zero-day exploits.

Learn about all of them but try to become an expert on just one of these
subjects by playing with tools. For example, set up a honey pot system to
capture malware. Then try to find the malware on it, and then try to reverse
engineer it.

------
whichdan
[http://www.matasano.com/articles/crypto-
challenges/](http://www.matasano.com/articles/crypto-challenges/)

Complete the Matasano crypto challenges and hope they offer to interview you.

------
iends
I got a Masters degree in Computer Science and my research focused on software
security. I got a bunch of offers to go into security when I graduated. (I
decided I was more interested in building things than breaking them and chose
a software development role at a startup instead.)

I would suggest working towards CISSP depending on your formal education. If
you're interested in software security learn IDA Pro, start a blog, set up a
honeypot, start analyzing malware you collect, and write about it.

------
manzur
I would recommend you course from NYU:
[http://pentest.cryptocity.net/](http://pentest.cryptocity.net/)

It covers most modern aspect of software security.

------
uwot
The term security engineer is a wide generalisation.

Start participating in CTF (capture-the-flag).

Go to conferences: defcon, blackhat, shmoocon, derbycon. Talk to people.

Read phrak.org.

Learn about the old-school hacker culture.

Hack stuff.

------
rman666
I hate to say it, but certifications do play an important role in getting
HIRED as a security engineer.

~~~
rman666
My point being that you could start with getting some of the important
certifications (CISSP, Cisco, etc.).

------
smartwater
What have you tried so far? What were the results? Weighing any options
currently?

~~~
zrpk
so far i've only tried free stuff like OWASP WebGoat, and some online hacking
challenges (hackthisite, hellbound hackers, ...)

i also took a couple of CS security classes in school but they were not really
"hands-on"

------
andyzweb
security is a state of mind —NSA security manual

