There are a couple of exceptions, of course. OSCP is a good certificate to have. To pass the exam, you are required to not only demonstrate proficiency in several areas (i.e SQL injection, buffer overflows), but you must also write and submit a technical report to a review team. The technical report must address vulnerability overview, impact, risk rating, reproduction steps, and more. Of course the exam isn't perfect, but it's probably the biggest test of real technical understanding and ability I've ever seen.
As much as I admire people who show the courtesy to the trash bin that will eat their report, before any human reading it, of not feeding it "bad" reports: The OPs point of "sense of false security" unfortunately already sets in once someone is hired to "take care of security". This anecdote from about 2000 illustrates that:
A friend was hired to do black box penetration testing on the DMZ and internal network of one of the largest travel agencies in Europe. He, of course, found a lot of problems. He wrote a nice report. Like really nice. Point for point "this is your problem, this is what you have to do right now and this is a user-friendly policy you could implement to prevent such issues in the future." It was very pleasant to read, he knows how to handle language. And somewhere on page hundred-something "the first one to claim it, will get a bottle of champagne!".
The bottle was claimed a few months later by someone 3 levels above his position. By some high-level manager who did not know anything about IT. But he was the only one to read it (and he only claimed the bottle to figure out whether anyone below him had actually read the report). Two years later company politics allowed those 2 illiterates between my friend and the one manager who could read to be removed from the company. My friend was hired as their chief of security. His first task: work through his own report to fix the 90% that had not been fixed since he wrote it 2.5 years before (the report listed passwords to core routers in plain text as examples for "very stupid passwords" - they all still worked).
 It didn't help my perception of the report when it screamed that "ICMP echo was enabled and nefarious scalawags might be able to do unspeakable acts against our computers, best cut the network cable" type of advice  (yes, I know port 443 is open! WE'RE A WEB HOSTING COMPANY SERVING UP COMMERCIAL WEBSITES! ARE YOU PCI AUDITORS STUPID?)
 Okay, the ICMP echo thing was reported, but did not need to be disabled to pass the audit. If so, why even bring it up?
I personally organized my report into three sections, which seemed to work well. Clients seemed to enjoy the formatting:
1. Executive - Summarize everything in one page at a high level. You could skim it fast if you chose to. Highlight potential negative business impact of each finding.
2. Management - A little more detailed. 2-3 pages max. Most severe findings at the top and recommended action for remediation.
3. Narrative - This is the bulk 80-90% of the report detailing your step by step process including screenshots so that if someone wanted to duplicate your findings they could.
This was for using citrix boxes to provide saas to a client
Break it down to a 4th grade level, if you can't, you likely don't understand it yourself.
I would agree that in general certs have too much weight, but the reality of it is, as it stands, they're the closest bridge / standardization that the market has built for non-Security ilk.
Also, Security is not IT. That's another thing that needs to change.
As for OSCP, I think it's great and out of all the certs i've taken for various reasons, it's the only one I felt challenged with, in a good way.
Do you mean that
Security is not currently IT and it should be
Security is considered to be IT and it shouldn't be
Security should have an advisory role to the corporate governance folks who maintain policy... usually the lawyers.
Equally importantly: memory corruption exploit development and SQL injection are different skills, and most people who do SQL injection don't need proficiency in "buffer overflows". Why is superficial coverage of "buffer overflows" part of the rubric for that certificate? I don't know, and I don't know that anyone else does either.
Is there a single coherent security certificate anywhere in the industry? I'm interested in examples.
I don't think Offensive Security is trying to pump out exploitation experts from their entry level cert program. Maybe the higher levels OSCE and OSEE. The intro cert emphasizes breadth over depth. It felt a lot like a cert built around the Exploitation Hackers Handbook.
I think you're thinking of the certs in the wrong light. They are meant to validate baseline knowledge and proficiency, not mastery. If you want to validate mastery you need to look at the persons personal record and work product.
Total tangent but, I am absolutely grossed out by "cyber" winning out in the name game. Who let the DoD drive that? Damnit!
It's the only one I ever thought might be valuable since it combines specific knowledge with some pentest against real systems. Curious what you think as you're more qualified to assess such a thing given all your security evaluations and hiring those people.
The leet kids, a minority few and the rest naïve, I would bribe while they whittled away at online CTFs and MicroCorruption and irritate them with mediocre questions until they tuned me out. I did not care for tools; approach and mindset are order of magnitudes harder to explain.
I thought you could be a wakeup call had you told them all the certs pro se is a waste in a program that pushed that nonsense. I talk trash of my certs and skills the whole time and they did not get why.
I know you're busy, but I've read your blog and you're preaching to the choir. Starfighter folded, but I would pay for you to test me as a customer and find a mentor to answer my stupid questions that I would pay handsomely for the privilege. I feel I'm not the only one, if you get tired of NCC, that would be amazing!
A well written report that speaks at the right level to its audiences will generate more proactive security activity than a terse, passive voice bomb of dense technical information.
Edit: And, in contrast, I've met people who I had a hard time communicating with in spoken English but, had no problems with once we did our communications in writing or with a written point of reference.
I vehemently disagreed, pointing out that those of us with meaningful degrees from well regarded programs shouldn't have to get one, but in the end I complied to keep the peace.
Have to say I enjoyed it at the time and even learned a thing or two. I wasn't exactly new to offensive work, but was nice to get things sharpened up and familiar with a few different approaches. I remember being a bit worked up about the final challenge at the end of it that I took the day off work, but iirc I was able to finish in just a couple hours. It wasn't the most cutting edge content at the time, but it was well organized and ensured that the person being certified could demonstrate some level of practical application and that is far better than most certifications of any sort.
Of course you're right that it's not impossible. But here's why it happens anyway and why the heuristic of them being roughly mutually exclusive is not insane:
1. There's a certification that's nearly meaningless because it's so easy to obtain without also having the relevant expertise that the certificate is supposed to represent.
2. People who are actually good at the thing will notice the certificate doesn't measure the skill correctly, and will also note that there are people in the world with this certificate who don't know the skill.
3. Those experts will not use the certificate when they hire people, and will not get the certificate since it doesn't work and no one who is an expert is using it to hire anyway.
4. Meanwhile, there are basically only two groups that care about the certification:
> a. People who are clueless: a clueless hiring manager who doesn't understand the domain they are hiring for so they are looking for cheap proxies for skill and experience. Clueless wannabe professionals who don't understand the domain or the industry enough to have been in the expert group above but who are still looking for jobs in the field. Clueless clients who are impressed by the certification because they don't know any better.
> b. The people who are taking advantage of the clueless clients: Professionals and hiring managers who know very well that the certification is worthless, but who use it for sales and marketing anyway because it mollifies clueless clients.
If that trend holds, then you have a signal (the certification) the repels experts, while attracting the clueless and those who would exploit them.
So when you find someone in the world with that certification, you should expect on average for them to be clueless or preying on the clueless. That's why treating it as mutually exclusive isn't insane heuristically, even though it's not impossible that someone who is good also has a certification.
Your HR department needs avenues to sift through referrals and comparison points. If an individual has the certificate and compares equally with a non-certificate candidate, the first individual has signaled, through the certificate, that he is interested in the field, as well as willing to invest time and resources into advancing in that field. This is the flipside of the employee signalling.
If an applicant applies without the certificate to a post which requires it, he will recognize his cover letter/interview should make a point of demonstrating competence in the area of the certificate. This is an instance of employer signalling.
If an applicant fakes having acquired the certificate and there is an easy way to determine whether or not he is faking, then HR now has an easy sieve for removing employees willing to misrepresent their skills to obtain the job. This is a step in the HR QA process.
Some employers work outside the 'work for hire' states. If they contain a certificate requirement in a job posting with enumerated skills, they can point to ineptitude in the certificate skillset as reasons for dismissal depending on the jurisdiction they're in. This is a tool in legal's toolbox.
Perhaps the certificate system is the result of the collaboration of a number of employers attempting to pool credential and training requirements for an industry, then create requirements for credentialing into legislation to control the industry pipeline of workers. This is a method of signalling to legislators or restricting competitors by indirect means.
And so on.
Additionally, your fact pattern has a small problem: expert acting as hiring managers who have knowledge of the problems with the certificate are free to adjust their screening procedure to obtain more fully vetted candidates. The only time avoiding the certificate entirely is when the signal it provides is negative.
This doesn't mean that certs are useful, merely that they might be useful to stakeholders you aren't considering.
> The only time avoiding the certificate entirely is when the signal it provides is negative.
And further, I think all your examples are perfectly valid, real-world examples that I don't dispute exist and that lots of people find important. I also think perfectly good and reasonable people operate in the reality of their industries and play ball with these things when necessary. AND I think all the use cases you mentioned are bad for the system overall. As in, they are real, and in a practical sense we can't just ignore them, but ideally we wouldn't have them.
HR using negative signals for filtering is bad. Job requirements tailored to the actual job are good. Broad and mostly arbitrary requirements from a third party are bad. Applicants to a well specified job also know to address weaknesses in their cover letter. Specific and well-specified requirements are also useful in legal disputes. Using arbitrary requirements to provide legal for firing people is bad. Employers colluding to control the training pipeline using arbitrary requirements encoded in law is bad.
I agree with you that they useful in the real world, but I'm arguing that that usefulness is evidence that the system is worse than it could be.
The real root of the issue here is that HR can't do their job. An unintended side effect of all this signalling is that future employees will be glad to get filtered out because they don't want to work somewhere that hired on certification instead of competence.
It is possible for the same action send a positive signal when done by some people and a negative signal when done by others. Specifically there can be 'contersignaling' , which is basically signaling that you don't need to signal.
Plus there's the financial outlay of it; costs to obtain the course material and sit the exam.
These points (including yours) basically amount to my bias against obtaining certificates.
I'm not against the material itself, if it's useful. But I'm not in the habit of paying for or spending time on education for anything other than the value of my interest in the material. A piece of obsolete paper does nothing for me at this point in my career.
It is no surprise that experts hiring experts in any field couldn't care less about certifications (aside from ones required by regulation). At the expert level, you hire real, verifiable experience.
You're pointing out things that are generally considered to be failures in our sphere anyway. I don't think that's unrelated.
HR brings us terrible candidates? Certs (currently) don't help that, and when HR over emphasizes them, we can blame the certs. (In theory, certs COULD help, but the people that get the cert instead of the experience are the problem ones, and those are the people HR brings us)
Contracts are an attempt to preset agreements between two parties, and in the tech world usually one of those parties are at a disadvantage in the tech space (otherwise we'd not be making the contract). Certs are used as a means of asserting competence in the employees, but the other party has every incentive to focus on the cert instead of the competence. So when it goes bad (as it often does), we can blame the certs as not achieving the goal.
Audits are likewise, trying to filter for competence (in action or in people, depending). But again, if the incentive is for the cert over the competence, it is the competence that suffers. We blame the cert (or more correctly, the emphasis on the cert).
IT definitely has a bias against certs. And it's not really against the certs themselves...it's that emphasis of the certs is harmful, not helpful. So we argue against that emphasis, which sounds a lot like hating the certs.
> The problem most IT people have is thinking that certs address technical issues, when in fact they address business issues.
But those business issues are "how do we ensure the technical issues are addressed?" And it turns out Certs in practice do a terrible job at that.
I leave my certifications off my resume now, unless the job posting asks for certifications which is frustrating trying to decide if adding this cert to my resume will help or hurt me in the interview.
Answer a multiple choice test for an MCSE or whatever? Doesn't prove much.
Receive a server that's been wrecked and won't boot, turn it into a load balancing HTTPS server, SMTP server, a bunch of required cron jobs and a boat load more requirements for RHCE? Proves you can do those things.
Disclaimer: used to work at Red Hat. Still love their stuff. Cisco has task-based tests too.
Well I got booted out of the test because I hit Ctrl-C to copy something for the first warning, and hit Ctrl-L (muscle memory) for the final revocation of the test.
I just thought to myself ... did I just fail an assessment test because I hit Ctrl-L?
The test gets reset and allows me to start back up, only it took 20 minutes off the allotted time for some reason. I didn't even get to the last question on the test.
The results showed me scoring in the 96 percentile. So I basically threw 3 questions away on this test and still scored that high. And I skipped one question because it was asking about building/creating msi files on an C#/ASP.Net/MVC assessment. I have no idea why it was there, but I don't regularly build msi executables (although I regularly automate them).
And the worst part is that a lot of the questions were inane things like "given this inheritance hierachy, sally adds the new keyword in front of one of the child methods, and then this other code uses this inheritance hierarchy. what is the output?".
At no point do I feel like anything on that assessment came even close to assessing my ability as a senior technical person. These were things a college student could have answered just as accurately.
I know it's not quite the same thing as a certification, but I seriously dislike assessment tests. Unfortunately it seems like every company has their games you have to play in order to actually get TO the technical folks.
For me the answer is better certifications.
From a certain point of view you are right -- an IT manager should cooperate with other facets of the business in order to help the organization succeed, not obstruct because he thinks their requirements are dumb. But from a larger point of view, either organizational or super-organizational, dumb requirements shouldn't exist. To the extent that they do CEOs, industry groups, and/or governments should be modifying them to keep them relevant.
There's no reason someone can't have both skills and certifications
I now do not include this cert on my CV for (perhaps irrational) fear that someone in some HR department may think "Oh, no! This guys is a hacker!" Sadly, the word has a negative connotation, because the word "cracker" or "bad actor" never bubbled up past the IT security world.
I also do not include my military service dates, as they reliably peg my age. Most men join at 17 or 18, so they would immediately know my age.
I'm debating whether to include any certifications at all, just include my degree.
I'm definitely not trying to defend the CISSP/CEH style certs here but I don't see how you reliably expand the industry at scale without some form of certification process.
A company hiring it's first security person or a company trying to hire a lot of security people, need some form of base benchmark to work from, just like with most other professions (e.g. Law, accountancy, architecture etc)
Having worked in IT security for many years, I can attest to the fact that IT security is more of a subjective set of processes rather than a specifc product or set of products.
There are skills involved as far as tools and knowledge of how to use tools, but these change depending on the use case.
I've been in IT/Infosec for 17 years now. I have certs that I literally maintain as a HR/sales checkbox (e.g. CISSP) and certs that make me think every time I need to refresh them (e.g. CREST CCT). It's possible to have good IT sec. certs.
For example Certified accountants, Lawyers etc.
Without some common baseline, how do people looking to hire security types who don't have the experience to assess their skills and knowledge avoid getting bad people?
Also the article's argument that "it's experience that counts" really doesn't help get new people into the industry, where do they get the experience in the first place, it's a catch-22
So would I be right in thinking you don't think that any of the Offsec certs (OSCP/OCSE), CREST certs (CCT etc) or SANS certs are usful?
Also, and I'd be genuinely interested to hear your thoughts here, why do you think that IT/Info Sec will take a different path than other professions (medicine, law, accountancy, engineering etc) which fairly universally have evolved into a certified professional model?
Those professions have rules, and are backed by either legislation or science. All participants are bound by said rules. For a lawyer, certain things are legal, certain things are not.
Security is a game where the whole objective is to either break the rules (and often the law) or to defend against someone who is.
How are you going to tell me that person A is qualified for the job based on his exam results, and person B is not, when person B got a root shell on your server and stole your data?
It's like the 1989 draft when the Giants tried to make Dion Sanders write an exam to see if he was qualified to play in the NFL.
"“They sat me down and gave me a thick book,” Sanders recalled. “I mean, this thing was thicker than a phone book. I said, ‘What’s this?’ They said, ‘This is our test that we give all the players.’ I said, ‘Excuse me, what pick do you have in the draft?’ They said, I think, 10th [actually 18th]. I said, ‘I’ll be gone before then. I’ll see y’all later. I ain’t got time for this.’ That’s a true story."
But that's not the reality for most companies, they're not trying to hire the absolute brightest and best, realistcally not everyone can. They're looking for some measurable indications that a candidate has a baseline level of knowledge in a given field.
Now I feel that a good certifiation can be part of that. So a valuable activity for the industry is to try and create better certifications to help companies who aren't in a position to judge for themselves whether someone is great at something or not, that there's a level of knowledge and understanding there.
If current certifications are poor, then it should be possible to articulate why they are poor, and describe what would make them better.
My references to other professions were designed to reference the fact that those professions have had to face similar issues as they've grown and in science, engineering, law, medicine, accountancy, etc etc they've pretty much all decided that some forms of professional certifications are the right way to go.
Not to say that they're perfect, but that they could be better than the alternatives.
Understanding how those rules interact, how to trigger certain interactions others didn't intend, and the best practices to not get bit by those interactions is what security is all about. It's much like law or medicine in that you are looking at unexpected consequences of multiple complex systems interfering with one another and looking for compromises and best practices to keep the most disastrous interactions the least likely to happen.
The individual NAND, AND, NOR, OR, and/or XOR logic? Rules - tabular even. The base IA? Rules. The microcode? Rules. The VMM? Rules. The TLB? Rules. The assembly? Rules. The OS kernel? Rules. The C library? Rules. The ABI calling convention? Rules. The application language? Rules - syntax and semantics. The libraries under the application - rules. The application itself is a list of rules for how data is processed. If it's Turing complete it's basically equivalent to the lamda calculus.
Every security issue is some misapplication of these rules due to someone not understanding the implications of the interactions of the rules. Every single one. Smashing the stack? It's applying a set a rules in a way the code author didn't anticipate. Overflowing a buffer? The code author didn't anticipate more data being stuffed in than the buffer was made to hold. Rowhammer? There are rules of semiconductor electronics interacting with the programming language, the IA, and the logic layout. SQL injection? Someone's applying the wrong rules to sanitize the input and someone else is giving input that takes advantage of the underlying rules of the programming language and the RDBMS that they were allowed to invoke because proper sanitization wasn't in place.
The rules under discussion are policy, and the question is how to define policy for evaluating people's skill at running roughshod over policy. The fact that there are underlying "hard" rules is literally universal and therefore uninteresting in this context.
Lawyers and doctors deal in interacting complex systems of rules. So do information security people.
If you can make a certification that works for one expert in dealing with interacting complex systems of rules, you absolutely can make a certification for another expert in dealing with interacting complex systems of rules.
The details of what you test are different, but the fact that it's been done for law, medicine, medical specialties, dentistry, mechanical engineering, electrical engineering, civil engineering, and many other fact and rule based fields means it can most likely be done in general for people looking at how different systems of rules intersect.
On the defense side, they simply do not work. Everybody gets hacked. The best companies with the biggest security budgets employing people at the cutting edge of security research still get hacked. Security experts get hacked. If the best in the industry still haven't solved this problem, you can't even begin to make the framework that you're proposing.
The discipline cannot be described as experts dealing with interacting complex systems of rules.
In computers, as in some parts of law, we have ample opportunity to address underlying rules as well as the rules around how we adjust, prepare, and react.
Of course one problem is "how does a certification become recognized", I mean in IT security it's going to have to start somewhere...
In the UK the IISP are perhaps closest to the "traditional profession" certifications, but they're struggling a bit to get traction.
Unfortunately the industry is growing far faster than perhaps happened for previous emergent professions, so the time needed to slowly grow professional bodies isn't available.
If it's not commercial organisations that start providing those services, the only other options I can see are some form of union, or some government mandated body. Those are options, but both have their challenges.
Both those options have their downsides.
Regardless, none of the certificates you've mentioned --- OSCP, CREST, or SANS --- will define information security. None of them have any meaningful credibility to experts.
When a lawyer is admitted to the bar, that is generally taken as proof that they have some idea of what they are doing. Bar exams are hard.
And the bar also provides a forum for dealing with shady lawyers. If a lawyer treats you badly, you can file a complaint with their bar association and they might get disbarred. This is an area where cyber training and certs is not as good yet, I think: as a forum for resolving disputes.
I'm 30, and am essentially starting life over after finishing my military enlistment a couple years ago. all the experience of setting up shops and drafting reports meant nothing with out a degree. So I start working on my degree, and I am absolutely miserable. My love of learning was sucked out of me because I wasn't learning: I was working towards an extra line on my resume.
Right now, I am in a jr. sysadmin position making minimum wage, but I was selected for a SANS scholarship where they pay for your GSEC, GCIH, and one elective cert. My friend bought me a decent laptop, so I could experiment on virtual machines. Another registered me for the NCL so I could access their gyms to spread my legs a bit with more powerful tools. I READ SECURITY WHITEPAPERS FOR FUN NOW. I love trying to figure out how to best balance company workflow and security best practices.
I know at the end, that the three certs are not going to make me a SME, but at the very least I hope that this particular extra line on my resume can help get my foot in the door somewhere I can be mentored and develop my base. A salary that can actually pay my bills would be nice too.
Then I read articles like this, and wonder if I'm going to be sidelined again. I feel like at that point, my life is worthless.
Most of the articles like this seem to come from people in the top 1-5%. Most of them are people that have started their own companies. I'm not a unicorn and most people aren't. I'm pretty confident that Tptacek and everyone else quoted are better security analysts than I am and possibly ever will be. However, I'm also confident that I'm pretty good at my job and I have the potential to get much better.
The important thing is to keep learning every single day.
I guess my point is that I agree with you that no one needs certifications, but I didn't think the contents of the courses I took were completely worthless.
IMO, some subfields of security are better suited to structured learning than others. For example, forensics can be taught very well in the format of a certification course. However, from my experience, exploitation and reverse engineering are pretty hard to learn in the same format.
Meanwhile on planet earth "draw up an inter-agency security agreement compliant with all local jurisdictional laws and industry regs" is also infosec and command line kung-fu will do fuck all to help you get it done.
This guy just drinks "unicorn" piss - he didn't get "trained", he's just so darn smart and hardworking and special. I bet his business card says "lead ninja" or some other IT fuckboy bullshit.
I wouldn't expect anyone with a CISSP to be an expert in "tech ninja" stuff, but he should be able to assess whether overall security is better served by investing in the "ninja work" or, for example, additional phishing training for employees, at a given point in time. This is certainly not a deficiency in CISSP, and I don't think anyone with enough experience in the infosec industry would have such an expectation.
* ISP network security engineering
* Network penetration tester
* Software developer for network security products
* Application security assessor
* (Most recently) Security team lead
I've had these roles for small companies and for very large ones.
What experience am I missing that would lead me to change my mind about the CISSP? I don't think attempting to pigeonhole me as a "crypto expert" is going to persuade me, because that's not the span of my professional experience.
I think the grandparent is trying to say that the CISSP is largely for non-technical security roles. People that manage large security organizations are generally believed to be the ones that benefit from the CISSP as they are not interested in the details and more on a 1000 foot strategic view.
Without knowing more details about the your specific expertise, I would say you probably haven't been in a role that would benefit from the CISSP by just looking at your list. If you've been the CISO for a large company with 400+ people reporting to you doing IS work, having a CISSP should at least help you prioritize the work that needs to be done. Likewise for many companies that have non-technical management in security organizations, a CISSP helps provide some background for them.
It's a hodge-podge of everything under the sun. The only thing it's able to prove is that
a) you have endurance and spare time to sit for a 4-6 hour multiple choice test
b) you can commit to rote memory a bunch of meaningless material which you are unlikely to encounter in real security/risk management role
It truly is the worst of the bunch, but for reasons yet explained, it's the defacto "must have" by bigCorps - which is why it gets picked on by so many folks: everyone knows it's bad, yet most people end up picking it up.
There are plenty of worse certificates out there - I would argue that the CEH is probably the worst one at the moment (although they are making some changes to improve)
But even for us (a high end infosec consulting firm) knowing how to relay findings and risk concepts to executives can mean the difference in our work getting implemented, transforming an organization from average to above average in terms of how they approach information security.
Anyway, don't be such a cynic, we just run out of air when we get to the upper reaches of technology expertise so it makes is dumb :P
At that point in your career your experience and knowledge will show for itself, and you won't be proving anything with paper.
Right now, however, it's vital you get your foot in the door. You don't have much experience yet, so a cert shows you're eager and at least not totally clueless. The jobs that care about your certs will probably not be very good, but it's a stepping stone if you're ambitious.
Once you get established, no one looks at those things.
Get your certifications - they will certainly help. Just don't pin all your hopes and dreams on these certifications.
The will add to your resume as a whole - so that when someone is reviewing your resume they can put an extra check mark in the pros column (experience, check; skill set, check; oh hey he has certs too, nice. check;)
In my experience working in technology, most people aren't as vocal about certifications as you would think based on the chatter you see online. They are a nice to have, not a must have, to get started. Sometimes depending on your actual job, they become a job requirement and work will pay for them.
Also in my experience, the people really against certs are people who for some reason don't like the idea of other people "invading their turf". As if you getting a cert in their field somehow trivializes their experience or effort.
In other words, keep doing what you're doing. View your certifications as milestones along the way, not the be-all-end-all of what you will need in your career. Continue learning and getting valuable experience, and you should be alright.
Update: One last note: certs are like a lot of other things you will encounter in any type of education. You get out of it what you put in. If you work just enough to be able to pass the tests, well, that's what you will get out of it; a way to pass the tests. If on the other hand, you try hard to learn and understand the concepts, then, that's what you will get out of it and it will certainly add to your learning.
Seriously, you are spot on. It takes years and dedication and no small amount of coincidence of interests and skills to reach the elite levels. It also takes a kind of persistence and thick skin to do the research and get the skills to get your first real high end job for most people. I tried replying to the OP about how to get to where our senior and principal consultants are and.. it turned into a somewhat muddy word bomb. At some level the advice was basically, "Yeah, just get really good at... everything, then infosec is easy"
There are so many paths and skillsets required and you can specialize in so many areas (operating systems, tools, crypto, memory corruption, etc...). How do you even begin to convey the depth and variety to someone at the start of their journey? Ultimately there are just a lot of common patterns of elite hackers, base skills you use all the time. Get those skills, and keep trying to hack stuff :)
Whilst there are people that, unfortunately, take the attitude in the article, I think that there's a load of others that take a more balanced approach and recognise some of the value of certifications.
The other thing I'd recommend, if you're not already doing it, is get along to some of the chapter meetings and conferences that there are increasing numbers of in security.
In particular I'd recommend BSides conferences (http://www.securitybsides.com/w/page/12194156/FrontPage) there's loads of them around and they're good places to meet people in the industry and also in many cases the sponsors are looking to hire.
I kind of resent my opposition to certification --- which I see principally as a way of keeping newcomers out of the industry, by requiring them to get expensive certificates to enter it --- being cast as opposition to new talent. I think opponents of certification are far, far more welcoming than the supporters are.
The article takes what I think to be an overly absolute position in suggesting that certifications are actually harmful to the industry.
I'm not suggesting that you are opposed to new talent, I've not said that anywhere.
What I've said is that I think that cerifications can be useful for newcomers in demonstrating effort/ability in a field.
I think that those certifications can be useful specifically in scaling entry to the industry (I'm not saying they need to be expensive, heck I'd love it if they were free, but someone has to pay for the effort required).
The problem with leaving individual companies to review every candidate from scratch is that it's a huge waste of effort. If you're starting a SOC and have to fill 50 spots and get 2000 CVs across your desk, you realistically are not going to be able to take an approach of manually interviewing every single candidate.
Now and I'm sure you know more than I , that doesn't apply to high-end security testing companies, but different types of roles require different approaches.
I'd appreciate it if you'd take a second to retract.
The top comment expressed quite clearly discouragement that this attitude of negativity to certification would affect their job prospects.
My comment line that I'm presuming you object to is
"Whilst there are people that, unfortunately, take the attitude in the article, I think that there's a load of others that take a more balanced approach and recognise some of the value of certifications."
Didn't mention you, wasn't intending to mention you, referred to the article which clearly takes the position that certifications are actively harmful to the industry, a position that I disagree with.
If you feel I've insulted you, I apologise for that, but I'm afraid I'm currently a bit unsure as to why you feel insulted.
Focus on developing the skills, not the paper, even if the paper is pre-requisite to get promoted. Credentials should always be second priority. If you have the skills, you'll be in demand as long as this class of problems exists. People hire people to do something. Do that thing they want. Don't put your trust in any type of credential.
That said, very few people will hold worthless certificates against you, and risk-averse corporations will want to hire someone as highly decorated as possible so that they're clean if there's a lawsuit related to operator error or negligence. If they're available at low mental and financial cost, they won't hurt.
Don't get discouraged. Work on developing the skillset and the rest will flow. Get the certs as needed or as they're available, but do not attach your own sense of worth, value, or success to them. Your skills are what will distinguish you no matter how respected or despised your credentials become.
Don't get discouraged.
It comes down to a very simple concept. Can you make the computer do what you want? Can you find the flaws in its state machine and hack the shit out of it? Yes? Come join an elite firm. No? Go into corporate IT security or keep learning until you can take the raw machine code and make it do what you want.
What does running a bunch of tools have to do with that? Most certs are very tool focused. Some /might/ have you do some stuff that is more interesting and CTF like, but so what. It is still meant for mass certification. If you only study to exploit a buffer overflow or inject SQL you are missing the point (though those are valuable skills).
You need to fundamentally understand. You need to be able to model complex software architectures and understand all the complexity of a modern software architecture and ecosystem quickly. Why quickly? Because it changes quickly. Because there is often so much diversity and complexity for a security practitioner at our level that you have to change architectures seamlessly and at a high (not expert), but very high, level of proficiency. That means you have to write code, play with a diverse amount of modern software and programming languages and constantly be thinking about everything from the security perspective. Learn threat modeling. Learn software. Learn the low level bits of computers and the high level bits.
What does this mean? It means if you know all the command line switches for all the tools on Kali you won't ever get anywhere. You need to write code. You need to understand operating systems like a systems engineer. You need to know what is going on with hardware. Will you use it all every assessment? No. But it will inform and guide your choices and you will have the framework required to understand almost all software and hardware you come across.
We have been working hard on our work sample assessment in our hiring process for the last 9+ months. We have seen folks with an elite level of memory corruption (e.g. guys who find and write exploits for the DoD) experience do very poorly on assessment and we have seen 2nd year college kids get right to the heart of the sample and own it. We see a LOT of people who want to transition into infosec or work at a more hardcore level come in and throw every command on Kali at our work sample. (Amusingly you have to think and assess things, you don't need anything fancier than a hex editor and a programming language or two with their standard library). Does that mean someone good at memory corruption is bad at information security? Maybe. It means their skills are too narrow to assess and secure the typical systems our customers hire us for and we work on, and we work on a lot of important stuff.
So let's be more concrete:
* Get really good at Python or Ruby (Python is what we prefer, but Ruby is okay). Write code every day. Golang is fun and good too.
* Work through all of cryptopals until it hurts, read every paper you can along the way
* Take a couersera course on cryptography Dan Boneh's older one is nice -- you really need to understand the crypto primitives in modern use and how to use them safely, you don't need to know how to implement a side channel resistant AES or ChaCha, but you need to know when someone is screwing up with AES in CBC mode (they almost always are if they are using a crypto primitive)
* Build or contribute to some open source security tools
* Get really good with mitmproxy and or Burp so much stuff now is HTTPS and or WebSockets
* Know your web app LHF
* Read and understand OAUTH (do this later)
* Learn every common authorization model in existence and how authentication and authorization are /actually/ implemented
* Work through Micro corruption CTF, you will understand better how a computer works if you get through /every/ challenge
* Learn threat modeling (Shostack has nice writing about it)
* Find software. Break and threat model software. Find more software.
* Follow and, more importantly, endeavor to understand the work of prominent peoples that talk about BlackHat every year or build software people use (Bernstein, matthew green, and the charlie miller's of the world, understand their methodology first, walk through how they do things more than their results, don't be distracted by results, but the skills and effort they employed to get the results).
That is the basics. Get good at this and you can break most modern software. Then you can specialize. Along the way of doing this you will come across tons of interesting stuff and find places you want to investigate. This is just off the top of my head. This is the really hard thing about being really good... it takes time. You can't just wake up and decide to do this at a high level. Programming takes time. Learning crypto takes time. Learning HTTP takes time. Learning software stacks and modern software architecture takes time. At the end of the day this path is daunting and, like a sieve, it filters out all but the best technologists. Now you can imagine why the author may have taken the sort of down his nose view he did of certifications, because this is an immense and challenging thing.
Step back a bit and assume becoming elite at this is a 5-8 year journey, what do you do in the mean time? Write code every day. Work on only a few things at a time to ensure you can go deep enough and understand it. Do your certs, they give you great exposure to the variety of tech, but never stop at the level a cert gets you to if you want to progress. Figure out what you are enjoying right now and focus on that. You can feasibly get more entry level pen testing and assessment roles in corp security on the backbone of a few certs, getting good at programming and automating things, and going deep on a topic area that really interests you... web app testing is a great starter, but never settle for banging out LHF (Low Hanging Fruit) findings all day, learn how to build web apps, too.
You can also go more of a risk management and policy route. This requires you to have a breadth of knowledge, be deeper with at least a few things, and understand corporate security, but I swear, if you love technology and enjoy deep thinking these roles will suck the life out of you. They are where deep thought often goes to die, drowned by corporate policy. Anyhow, it is getting late. Good luck. Find my company and contact us, we will set you up on our work sample and you can see what it is like.
Most organizations aim for compliance (it's cheap and easy). They base security on contracts, certs and insurance policies.
Street-smart security practitioners are appalled by this. And, management doesn't understand why the 'security people' aren't on-board with 'compliance'.
It's a lot like the old west with Cowboys and Indians. Two totally different world views.
Yes, Anthem/BCBS, Target, HD, Sony, etc, etc have all had losses.. but they really havent been long-term impacted it seems.
I dont know what the answer is, this sucks hard as both a consumer and an infosec person. I tend to view security as a "hidden performance" factor. As long as the security flaws don't inconvenience the paying customers too much, they simply don't care if they exist or not.
It was literally "person's-company-name Certified Forensic Examiner".
He had created about 6 certifications, all of which he held.
It's kinda funny, but also kinda scary that the court accepted this as proof of his qualifications. The prosecution never raised an objection to it either.
I don't see how that's much different than asking someone to solemnly swear they are telling the truth, when most humans are as capable as lying about whether or not they are truthful as they are of lying about anything else.
If the court has no one capable of gauging the expertise of a witness, it has to trust in someone to do that for them, and if neither party in the case objects to the witness certifying himself as an expert, it has no reason to gainsay that assertion. It's really the prosecutor's failure alone, for letting that detail slip past.
The differente against lying is that you know when you lie. You dont know when you are overly confident but incompetent.
If the other side of the case had an expert that didn't bring up the lack of credentials, or the litigators on the file didn't bother to do the most cursory of credibility impeachments, that's on them.
Everyone can tell the truth, but not everyone knows technical details about something. He is using his certifications to show he knows technical details; he might even believe he knows those things, but he very well could be wrong.
Certifications sometimes set a terrible baseline, but at least it's an independent baseline.
Universities have been a centralized source of accreditation for a long time. All it takes is for someone to figure out how to restrict graduation and filter good candidates using testing or some other means to gain accreditation and acceptance of its graduates by industry.
This is based on my last batch of interns that had masters degrees but couldn't handle hello world. Their spoken english skills made it clear that they were completely incapable of understanding the lecturers.
Universities are a business, they are paid a lot to provide a piece of paper, so they provide it.
http://www.uoc.edu since 1994
My day job maybe 15, 20 years ago was basically Cisco CCNP Routing test. It was kinda useful to study and pass Cisco Switching test because switching is a different world of networking. Probably I was in the top 10% of router ops, but I was only in the top 90% of switch ops. For many jobs thats perfectly OK.
Something very few people like to talk about is self inflation of company requirements. Top 90th percentile is frankly more than good enough for most companies. Yes lots of self important strutting about rockstars and ninjas but all they really need, often all they can get, is top 90th percentile, and it works out fine.
A cert is not a Nobel prize or Congressional Medal of Honor. Its not even a PHD. Its kinda like graduating middle school, or having a clean-ish criminal record. Maybe the best example is its like passing a drug test for a job, having the self control to not get high for a whopping two or three days before the test is kind of a minimum display of self discipline to get a job.
Issuer: Go Daddy Secure Certificate Authority - G2
Expires on: Nov 13, 2016
Current date: Apr 12, 2017
It appears to say that if you ever hung out on IRC and tried to keep your handle private, you're ineligible.
"Omit user identities or screen names with which you were publicly identified."
Their web app challenges were fun too. LFI to code execution, SQL injection, things like that. They have a bunch of network related recon, standard red-teaming stuff.
The OSCE involves ASLR bypass, AV bypass, and using egg hunters.
The big thing about the OSCP, OSCE, OSEE certs is that you actually have to _do_ all of the stuff they teach you. Not a multiple choice or written question in sight. For the test they drop you in a network with vulnerable machines and you have 24, 48, and 72 hours (depending on the cert) to get code execution on each through various techniques. It was challenging, interesting, and satisfying.
Edit - it's worth mentioning that I still find vanilla buffer overflows on projects. These days most thick-client applications that I see are old as hell and are still vulnerable to exploitation techniques from decades ago. So while the skills that the cert makes you prove are cursory and introductory, they are still useful. In any case it's a good starting place for those that want to learn stuff on their own but do better when they are given the push to prove it.
That being said, the nice thing about OSCP imo is that it gives you some structure and a well set up environment to play in. I think OSCP is a great entry-level certificate and serves as a good filter to interview junior candidates.
Does this help at a more elite level, nope, but that's also not the purpose of it.
Red flag: someone that has an email signature with 50 letters next to his/her name,there is NO WAY someone is spent enough time on each: coding, security, audit, accountancy, at the age of 30 AND be proficient in all these domains.
Or it means they can drop the same jargon and have maybe a passable understanding about the ideas that jargon is meant to convey.
Often people with extremely narrowly focused bases on knowledge (as indicated by having BAs, MAs, and a giant rap-sheet full of certs all in the same topic) have wound up being thoroughly incapable of actually applying any of their knowledge to the benefit of the team they're on because they just don't know how to get what's in their heads into the heads of people who weren't steeped in the same language as they were.
What happened was:
IT boss: "we need to hire a coder"
HR: "What skills?"
IT Boss: "Oh, Foo language. But if they're a good coder they can pick it up, so just a good coder"
HR: "...you're kidding, right? There are millions of resumes out there, most from people with no skills just trying to land a great job. Give me enough to filter"
IT Boss: (provides list of three things)
HR: "This still isn't enough. Practically EVERYONE will have these. Give me years of experience, skillsets, processes, etc.
IT Boss: "Fine, here" (gives long list of things that MAY be useful)
HR: (starts filtering resumes based on these words, removing lots of good people and including lots of bad people)
IT Boss: (looks at resumes) "These people are clearly lying and all over the place, I'm going to focus on one or two things to decide who to interview"
So in writing your resume, you want to make sure you have the buzzwords for the job to get past HR. These buzzwords are pretty much guaranteed to be on the job listing, even if they end up not being very essential to the job. Did they mention Scrum? Better have it on your resume, because you may be filtered out if it isn't, even if it's something you'd not consider worth listing. Also, use the same words. I once was asked if I had "shell experience", even though BASH was on my resume. I assume "Agile" and the various implementations are the same. If they mention XP, you better mention XP.
BUT when your resume then makes it to IT, who (1) know what these words mean and (2) aren't looking for the same things at all, you need to have what they want. I tend to use a sidebar on my resume to capture the HR buzzwords, and emphasize my work experience in the main body, so an IT person skimming it will see what they want to see.
One technique I've taken to handle HR buzzwords on things that I don't think are actually a big deal: If the job listing says "Must know React, Angular, Backbone, or other JS frameworks" and I wasn't really strong in any of them, I'd do enough research and testing coding to do a Hello World in them, then add "Exposure to Foo, Bar" on my resume. It tends to get through HR (word is present!), and I'm not lying to the IT people - they understand that I'm not claiming expertise, but I'm also saying I'm willing to give it a go.
As a corollary to all of this, you need to tweak your resume for every job posting, to match their buzzwords and remove ones they didn't list that aren't really core to your skills.
I'd keep them if they are and lose them otherwise.
It's kind of like college. It's about what you get out of it. From a hiring perspective, though - if a course provides utility, perhaps if one of the interviewers also has taken the cert course, they can probe the candidate more thoroughly on their knowledge from the course.
We all know far too many people who have mastered the test, but not the material. This makes the signal from the certification unreliable.
I've seen a few folks get a CEH and then they're off to App testing land, but the funning thing is, none of them has ever written an app, some not even a script, and they are now doing security testing on mobile apps. Basically they just push a button on an app scanner and pull a report, it's sad.
The folks that do succeed in security are the ones with curiosity, experience and drive to learn.
I like to know how something broke and why it broke. I understand programming and can read about any normal language to a basic degree and lightly troubleshoot.
Your absolutely right, about those kinds of people too. Some get the certification and stop there. Others get it and use it as a foundation and build on it.
But I wasn't in management, and I've since learned how very little technical skill you actually need to be an effective manager, and now I realize that certs are a great way for a manager to understand a complete baseline of the concepts needed for a particular field.
A manager does not need to be a hacker, but they need to understand a baseline of security concepts. That's what certs are really useful for.
Experience on a resume is self reported so that is an even worse indicator of skill than a cert. At least one of those two involved external validation by a 3rd party.
I think there are a few good ones out there and getting them ensure the person has at least a baseline knowledge of some subject. I have worked in the industry for years as a pentester, but I still went and got my OSCP and OSCE for fun. A lot of it was review, but it was nice to fill in some gaps and practice things I hadn't had as much experience with.
Certs are like college degrees, you can get by without them, but it can be easier if you have them. You will probably learn some things along the way and the provide a foundation for later studying or pursuit. You don't NEED them, but you don't need a lot of things in life, that doesn't make them worthless.
Book: Web Application Hacker Handbook
I've seen it highly recommended and if you're not familiar with the field it's a good overview of exploit types for web apps.
Online training for free or cheap:
Cybrary - mostly okay, but free.
PluralSight - https://www.pluralsight.com/browse/it-ops/security
Coursera has a Cybersecurity Fundamentals specializationd that's pretty good - https://www.coursera.org/specializations/cyber-security
Other books, if you wanted to go down the reverse engineering route:
Assembly Language Step-by-Step: Programming with Linux
The IDA Pro Book (for the strangely hard to buy IDA Pro, but the free version is pretty good)
Practical Malware Analysis
There are physical access controls, personnel assessments, probability and impact assessments, budgeting, people-monitoring, process analysis and modelling...
Computers are a tiny part of it. This being HN I have understanding for the bias though.
I learned more useful, practical concepts and skills by taking a couple of SANS courses than I did in four years of a CIS program at a University. Both my university classes and the SANS courses consisted of books, presentations, lectures, and individual or group assignments/labs. If they are taught the same as a university course, why is it automatically considered inferior? SANS teaches a lot of tools, but they also teach the underlying concepts to prevent people from becoming dependent on tools. In some subjects, it would be insane to not teach tools. For example, I took the GREM (Malware Analysis) course. Its an very basic course, but it would be foolish for anyone to teach a course about reverse engineering or malware analysis without using IDA or OllyDBG.
While the class won't (and doesn't claim to) turn someone into a professional-level reverse engineer, this course helped me understand a few things about assembly that I just wasn't comprehending when I used other sources.
Would I attempt to use my GREM as justification for applying to a malware analysis job? Of course not, but the course has helped put me on the right path. Its possible many people learned through another, far less expensive method, but that doesn't mean the training was worthless.
If I were hiring someone, I wouldn't use certifications as a sign that they are qualified. However, I would use the certifications listed on their resumes, combined with their work experience, to figure out what kinds of questions I should ask them.
I also wouldn't use certifications or a lack of certifications to disqualify a person. Using your anecdotal evidence of bad experiences with certified people to label all of them as incompetent is ignorant.
I'll wildly speculate that some potential Tactical Network Solutions customers are asking about DoD 8570.1 security certifications. That may be a mistake on their part for something as far down in the weeds as embedded firmware solutions or the Centrifuge IoT Security Platform.
On the other hand, some of Terry's customers likely hold those 8570.1 certifications, so he might want to be careful about rubbing in how they wasted their time in acquiring them.
If he takes a look at SI-7 in the System and Information Integrity control family (found in NIST Special Publication 800-53) he might find some selling points for his products. A certified security engineer who had done a RMF audit would know that ;)
What are your opinions on colleges/Universities with degrees focusing on Cybersecurity?
Such as Utica and there Bachelor/Master degree in Cybersecurity. 
Program info: http://programs.online.utica.edu/programs/online-cyber-secur...
Program info: http://programs.online.utica.edu/programs/masters-cybersecur...
The problem is, you can't tell the difference between the person that did the time, studied, did labs, etc... And the one that downloaded a test answer brain dump and memorized the answers.
And even in the case of the former, you can't cram 20 years of knowledge and experience into a certification.
I have just an MCITP that I had to get as a job requirement. My employer paid for a 2-week bootcamp. I did very little studying and already knew 90% of what was covered.
I have about 10 people around me that have various combinations of certifications and degrees that all use me as a lifeline when they get stumped.
"If you took the tax id and social from 'airGappedMachine'"
"It has no connection to any other machine"
"Just query the database"
"Store it on a thumbdrive and walk it over? It changes quite often I don't think that's a good workflow"
"No, just query it"
Or the classic:
"That password only has N characters, I can crack that in Y seconds"
"You are the Administrator of that box, you can simply reset the password and do whatever you like."
"Yeah but the hackers.... Y seconds"
"It's not Y seconds for them, if they already are an Administrator or have read database access it's game over anyway they have to use the API and that locks you out after 3 attempts. Also your are assuming a much easier hashing method than is actually in use."
"Yeah but my calculator says Y seconds so it's Y seconds"
Like the "Mongodb is web scale" one.
The CCNA Security only costs $180. It's a very small investment and I don't see why anyone serious about security wouldn't spend the money to get certified
Edit: Interestingly, this vendor specific cert is far more valuable in my country than anything like CEH if recruiters are anything to go by
Doctors have to go through extensive certification in order to be hired, and constantly have to re-certify. The difference, though, is that a doctor's certification is very rigorous and well-designed.
The difference is that a medical certification proves competency. Certifications in our field do not.
I have CEH, EnCE, and EnCEP. Doing CISSP this year. Why? Because it makes me stand out regardless. And I've landed clients who were amused by the "ethical hacker" destination. So don't undervalue cert just because of some cocky nerds.
Part of the problem with certifications is that lots of students look at them as a means to an end. This is wrong and counterproductive. Learning to pass a certification is the laziness, most counterproductive exercise you can do to learn security. Yet this is common. Learn by doing. Then get a cert if someone demands it or offers you more money for one.
If more people approached certification that way, there would be less industry-wide pushback about it.
Stated another way, getting a bunch of certifications helps you stand out from the entry level. Putting aside a platonic ideal of what certifications should be, you could have done that without those certifications.
With regards to your first paragraph - at this point my consultancy bills five figures per week, and I do absolutely no outbound lead gen. The lack of certifications will lose you business, yes. But I would argue that was not necessarily business you wanted to optimize for.
A lot of companies treat these as some kind of mystical incantations that will protect them if sufficiently invoked. Case in point: being mandated to switch from one OTP generator app to another because the latter is "FIPS-Compliant" - regardless of the fact that both generate the exact same set of OTPs.
This cargo-culting is not inherently harmful, but it leads to magical thinking and a false senses of security, as well as diverting time and energy away from more productive avenues.
I suspect that the CISSP-genre of certifications suffers from a similar pathology: intrinsically they do function as at least a partial indicator of some type of competence. The problem is when actors with a financial incentive to game the system meet up with bureaucracies: the less defined but more accurate metrics are thrown under the bus in favour of something that is easy to quantify and sell.
In other words: if the company asks for certs it's the equivalent of wanting "6 years of react.js experience". I completely agree.
The reality is recognizing the importance of a foundation of education is critical. there will always be shortcuts that people take in every imaginable part of life. With that said, people who have a firm education or knowledge no matter where it is from (institution and/or self-taught) will be able to point out people who took short ccuts fairly quicky. The challenge is knowing the right course of action to take, firing or other knee-jerk reactions can result in more harm than good in some situations.
If you do the math, attending webminars, reading books and writing reviews don't get you all the points you need every year (I can't imagine the fraud that must be going on for people trying to get those points). So I said "fuck it".
Funny thing is, I'm way more experience in security now (with CISSP expired due to stupid points) than when I got it and was certified. Joke and money-grabbing scheme no doubt.
Ideal candidate will have CISSP, OSCP, CEH, SSCP, WTFBBQ, etc etc
Certs have value depending on the person's skills. Never hire just because they have a CISSP or XYZ.
Sometimes it's just the key to the door to the interview. From there it's up to Employer to properly vet the candidate. If they hire an idiot with a paper cert, then it's their fault... and then they write an article. LOL
As an aside question for web developers: How many web developers encrypt/checksum all fields on the client-side?
I wouldn't be able to get one despite having experience because:
For several of them it requires years of work experience with a specific job titles (your job needs to be security, it can't just be part of your job) and the continuing education credits are expensive and largely not helpful.
I would love if there was a recognized certification that was actually interested in proving your skills not for making money.
I know other disciplines are the same way.
They don't really serve to keep unskilled people out, they serve as kind of an elite paywall where you need time and money to break through. And breaking through is largely an exercise in brute force not in skill.
In discussions like these I really wish people would post up front if they had taken the test (regardless of pass or fail). This lets me know which comments I can ignore as completely ignorant.
The team lead whose feet I studied at in my first few years in IT had a high school diploma and he could run rings around the guys from Carnegie Mellon and RIT that worked with us. He was a deep diver mentally. I watched this guy drop awk, sed, bash strings a mile long, write Perl scripts without consulting a single web page. He knew iOS (Cisco), Perl, TCL/Tk, Sun, BSD, and about everything else. He could configure a HA UNIX servers and Oracle DB backends without consulting a manual. It was most impressive. He was let go because he was a team lead (middle manager). The people that replaced him--yes, people-- knew nothing in comparison.
The same could probably be said for a degree, particularly with the current snowflake "everyone must pass" mentality at so many schools.
Certifications and degrees are nice, but neither guarantees a person is competent in any field.
However when we're working at scale, certifications can be useful as providing a demonstration that the holder has some level of exposure/knowledge of the arena in question.
what complicatates this quite a bit is that some of the more popular certifications are, rightly, not considered that good as the process to get them lends itself to rote learning. So things like the CEH and CISSP where the exam is multi-choice, not so great.
On the other hand things like the CREST CCT definitely require a decent level of knowledge to pass and you need to be able to apply that knowledge in a practical situation and in time limited conditions.
I find the anti-certification bias in IT and security a bit odd really. If you look at other professions (e.g. law, accountancy, architecture etc etc) it's recognised that these things are required to get a minimum level in place in situations where you have a large body of people, I don't really see why IT Security should be any different.
To me, the problem of "these certifications are bad" should have an answer of "lets make better certifications" not "lets not use certification"
There was no real memorization needed, and I had the full man pages of the operating system at my fingertips, but the time limit ensured that I needed to have at least a certain degree of proficiency with each tool to finish all of my tasks before the end of the exam.
I assumed this was the norm with certifications, but the comments here strongly suggest that it is not. Are Security Certifications really multiple choice questions without any practical applications? That seems like it could stand to be improved greatly.
One problem is that some of the "bad certs" e.g. CEH, CISSP , are well established.
My feeling is that the answer isn't "don't have certs" but "have better certs"
So not my dichotomy.
A few, less than 10, had certs listed on their resumes and no one in the interview loops gave weight to those certs or even talked about them from what I recall
I was lucky enough to start early when the only thing you had to do was to show your skills and willingness to learn. Those days are long gone but you can still prove yourself by delivering awesome security research or commentary - and people will hire you based on that.
That being said, any IT field which requires some sort "technical" certification to get hired is probably not the field you would like to get into. Why? Too much competition and race for the bottom line.
Luckily this is not exactly the case with Information Security - yet. In our line of work there are people who do a lot of the uplifting where certifications do matter. I would not say these are very technical jobs and they are totally dispensable. Other professionals acquire specific skill sets which are rare or difficult to obtain and as a result they tend to have the upper hand. There is of course a lot in between.
I do not mean that everyone who has certifications next to their name sucks. Not at all. But unfortunately, unless you are applying for a commoditized IT security field or security manager type of role, it will raise some questions.
Keep in mind that HR is also partially to blame. Many people do not know how internal HR teams typically work which is essential to understand why certain things happen the way they do when hired or when progressing through the ranks of a company.
HR are typically not technical and they are not experts in security either so they do not know what exactly they should be looking for. Of course they are not completely clueless but a seasoned hacker can smell bullshit a far while a well informed HR cannot. HR's filter is your CV and the job spec and these two are simply not enough to evaluate a successful candidate. Some job specs are written by HR themselves which is crazy because they are not in the position to formulate the role so they have to stick to what is known - i.e. certifications.
That being said there is a shortage of IT security professionals. As a result of that almost anyone can get hired if they show the right attributes. It does not take a long time.
The only thing that bothers me with the InfoSec industry these days are not the certs but that companies tend to have really bad hires (maybe due to bad certifications) who due to lack of deep understandings of the subject work on things that practically do not matter. As a result of that these companies have the illusion that they are doing something while the fact is that they do not in a practical sense. This is why in many places no one knows what the security department does - I am not kidding.
It's interesting that his argument is against certs for companies but then he looks at regulation as unchangeable.
I'm not going to engage in the debate about what certifications should be in the industry, but I'm happy to show which option is most advantageous for your particular needs right now:
* Certifications mostly do not teach you anything that you, as a competent web developer, cannot learn from the same five textbooks tptacek, others and myself recommend in these threads.
* Certifications cost money.
* Certifications optimize for companies and roles that disproportionately do not pay highly.
* Many certifications require upkeep.
Let's contrast with bug bounties:
* Bug bounties grow your real-world, hands on experience.
* Bug bounties do not cost you anything (in fact, you can get paid!).
* Bug bounties cover a much more diverse and up to date set of security flaws than certifications.
* Bug bounties optimize for companies and roles that will respect you more highly, pay you far better and aggressively try to hire you after you find more than, let's say, two serious vulnerabilities in recognizable companies.
* Bug bounty recognitions do not expire.