Hacker News new | past | comments | ask | show | jobs | submit login
So you want to get started in an Infosec Career? (cryptocity.net)
31 points by marcinw on June 7, 2010 | hide | past | favorite | 22 comments

The #1 thing I'd recommend to people going into InfoSec is a contant drive to learn things. For the HN crowd this is a given, for the non-HN crowd many people like to become experts in things and then be able to use that same expertise for years.

In InfoSec regulations are constantly being changed or updated if you're an auditor. If you focus on application security from a code perspective you'll constantly be learning new languages and frameworks. If you focus on network security new attack vectors will constantly appear and need to be mitigated based on new services, protocols, etc.

For the non-auditor roles you'll also really need to enjoy puzzles or figuring out the solution to a problem given a non-obvious set of complete information (think multi-variable calculus, you can figure out what X is but not without a lot of work).

I spent most of the past decade in the space. It is fun but it can be frustrating for the technology purist. Business isn't always interested in doing what is the "best security" -- they'll want to do a mix of compliance (which is the practice of security controls to meet regulations a business has to follow -- these may add no "real security" at all when implemented) and then enough security to minimize the risk; not often enough to really eliminate it.

Unfortunately, in 15+ years of application security, I've never been called on to bust out multi-variable calculus.

That was meant as an analogy. Hopefully you've had the opportunity to assemble a vulnerability from the interaction between multiple systems. I.e. a web form that allows an input of X which triggers a bug in application framework Y that allows you to exploit a permission rewrite in database Z.

Apart from the totally out-of-whack industry percentages (I think it's closer to 60% "other", the more I think about it), I think this is a really clearheaded and insightful post, which is unsurprising given that Dan Guido is hip deep in this industry.

For what it's worth, I found DDZ's Amazon list from this post and was motivated to write my own, which you can see at: http://amzn.to/cthr46

That reading list is a tall order, but still, a watered-down version of the "blackhat" curriculum.

Here is 'infosec' in a nutshell: love computers to death and become as good a developer and mathematician as the upper-division hackers working on core systems software, then give it all up to become a glorified human debugger, co-writing "papers" with bureaucrats and opportunistic, washedup, fear-mongering have-beens.

The training and experience required is just not commensurate with the glory that can be had elsewhere. Either in developing software, OR taking the other side of the infosec game ..

I'm curious. What part of the list is a tall order? I actually felt bad in the opposite direction; everybody in my field has read at least 3 of the top 4 there, and _The Practice..._, _...The Good Parts_, and _SQL for Dummies_ (only sort of a joke) are pretty basic.

_Windows Internals_ and _Internetworking with TCP/IP_ were, in a different form, on every Unix sysadmin's bookshelf in the 90s --- as "TCP/IP Illustrated" and "The Design And Implementation of the 4.4BSD Operating System" (both of which are also great books but are now very dated).

The only rough things on this list are _Network Algorithmics_, _Computational Structures_, and _Surreptitious Software_. None of them are required reading to get started.

I really wanted to add books on signal processing, RF, linear algebra, program trading, and compression, but I thought (a) it would sound self-aggrandizing and (b) there's no end to the domain-specific books I might inevitably end up adding.

You ignored the "watered down" and jumped on the "tall order".

For someone new to the industry (rather, 'scene') I think that booklist will take ~2 years just to grok. For an experienced hacker, specially one coming from systems programming, compiler hacking, binary analysis, emulation, or cryptography, specially one who spent his youth dipping into actual blackhat hacking and reversing, then the industry has absolutely no appeal. You can make more money writing an optimizer for an ARM processor for one phone model than you would working in the security industry.

My position is: security is not worth it, unless you're some government MCSE who ends up sent to seminars and conferences on Wireshark and IDA Pro. Infosec is churning out doe-eyed nobodies faster than Clown University. The people who actually matter, and make a difference, earned their stripes hacking out of their parents basement in their teens.

"I really wanted to add books on signal processing, RF, linear algebra, program trading, and compression, but I thought (a) it would sound self-aggrandizing and (b) there's no end to the domain-specific books I might inevitably end up adding."

You probably should add these anyway! I for one would find it useful.

...which I promptly added to the post. Thanks Tom!

Get started by doing.

I used to work in government. It seems like everyone got degrees that made them qualified to run around chasing people about passwords. IDA Pro? Buffer overflow? Out of the question. They collected a paycheck and that was it. Infuriating.

The people who could use IDA Pro and write buffer overflows weren't the people who cared about other people's passwords. They ARE there, but they're not out in the open by any means.

Edit: maybe more poignantly, those people you reference are 'Information Assurance' or 'IA' professionals (mostly with titles that reflect this, such as IAM or IAO.

IA is part of the CND section of CNO - the 'fun' stuff is in CNE/CNA.

For more: http://en.wikipedia.org/wiki/Computer_network_operations

I know there are more than several of us on Hacker News, who work in the field of information security and many ask who ask how we got started. Dan Guido created this guide for recent college graduates looking to break into information security as a career path. Before, Dan put together a class on penetration testing and vulnerability research, where some of the world's top leading researchers are guest lecturers.

Thanks Marcin!

There was also some discussion of this article on Reddit too. Readers might want to check out some of the comments there: http://www.reddit.com/r/netsec/comments/cc4ye/information_se...

Another way to get in (if you are attending a University) is getting a job as an assistant to an infosec professor. Depending on the school and the interest this might be the easiest way.

This is what I'm doing starting August and it is a lot easier then getting into the industry, since they are even worse in their prerequisites than the rest of the IT industry, at least in Switzerland (I saw one that said "20 to 22 years old, CISSC and 5 years of industry experience").

If you're at University, a far better way is to take an intership for a company that does security. We've had nothing but amazing luck with our interns. They're paid positions and they connect you directly to people who will be hiring when you get out of school. We're a consultancy, so in addition to hiring directly, we're also doing all of our clients a huge favor any time we can place someone for them.

Long story short: I might not waste my time with professors. Get out of the building and into the real world!

I have to say, using OWASP as a resource and then not including Aspect Security in "Friends of the Class" is a little rude (or an oversight).

Why is that? Virtually everyone in the entire industry is contributing to OWASP. Aspect doesn't own it. I'm pretty sure the reason Matasano is on the list is that Matasano's Stephen Ridley works with Dan on the class. Maybe Aspect just doesn't contribute to his class.

Since you go to NWU, you're in Chicago. You should come to Chicago OWASP. Matasano's Mike Tracy coordinates it.

(Backstory for the rest of you: Aspect "sponsors" OWASP in some manner --- I'm not clear on how --- and drama like this is why CitySec has a no sponsors rule.)

They don't own it, true, but they did start it and give it initial funding. If this only counts those who provide direct contribution to the class, that makes sense though.

Since you go to NWU, you're in Chicago. You should come to Chicago OWASP. Matasano's Mike Tracy coordinates it.

I definitely plan to--Shamiq has mentioned it in the past, I think. Full disclosure: the reason I mention it is because I was hired by Jeff Williams as a cross Aspect/OWASP intern my junior year of high school. I, obviously, take no credit for anything, but I do know that Jeff et al did put significant time and money into the project.

I think cutting press releases taking credit for each year's "OWASP Top Ten" is thanks enough for kickstarting a project that is now overwhelmingly driven by people outside of Aspect. I don't know anybody at Aspect, and I have nothing negative to say about their practice, which I am sure is as solid as anyone's, but again: this is why "sponsorship" is such a skeezy concept.

Basically, what tptacek said.

I don't know anyone from Aspect and they haven't contributed to the class in any way.

I'm well aware of OWASP contributions to web security, I'm actually a board member for the NY/NJ chapter (http://www.owasp.org/index.php/NYNJMetro). If I had a good reason to cite them in this instance, then I would.

Fair enough -- if you're only counting people who have directly assisted you with the class this also makes sense.

After finishing Cryptonomicon yesterday, this post was highly informational to someone excited about the field.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact