2. Don't get certificates. If you meet a prospective employer who seems intensely interested in them, that's a red flag about that job.
3. The idea that you should aspire to being able to do your whole job from a Linux terminal is pretty silly. Use what works for you.
Maybe it takes more than 6 years in offensive security to realize this, but the #1 bit of advice for this field is: learn to enjoy coding. The worst possible place to end up in security is as a captive to available tooling.
Here are some of my thoughts at 15 years:
1. Get sleep and exercise. Stop drinking soda, just stop it. Drink water, coffee, tea, and scotch.
1a. During undergrad, I would get into a trap where I would think I was too busy with schoolwork some night to exercise. Later, I changed my thinking and realized I was too busy to NOT exercise. My grades improved.
2. Work 40 hours a week. Don't be a hero. You're going to burn out.
3. Keep your mind open, but don't accept what others say uncritically. Investigate and evaluate all new information, time permitting. Don't think you know everything, also, don't think anyone else does either.
4. Be a good programmer.
5. Learn some advanced mathematics and cryptography. Don't listen to the people that say "I've never had to use that." Learn about something until you're unsure and uncomfortable- like exercising until you feel it, that means you're learning something.
6. Make your resume more about stories you can tell and less about tools you can use.
This is great advice, but I've never been able to describe it so succinctly.
It's an excellent example of story-driven resumes.
Who is working 80+ a week long term? It throws into question every other statement on the page.
A more reasonable person would probably put a fair amount of learning time on the weekend, but even then you leave very little time for a social life, physical exercise, eating, relaxing.. things that most healthy people, if not everyone, requires.
Also, learning and hobby projects can include social aspects.
There is too much of mathematics to learn all of them. To make maximize, I think I need to focus on some subjects that would be cost-effective. What woulds would this be?
I work in infosec as well, and I think the author of this article is confusing time spent vs. passion for something. Coming from software engineering, security is no different than any other technical profession: if you don't love what you do, you probably won't be very motivated to learn, and thus you probably won't be very competent. You need to have the passion. This doesn't need to manifest itself in 80 hour work weeks.
There's a whole contingent of "infosec ninjas" that think there is some type of bushidō bullshit going on, where if you aren't constantly training for your pentesting job like it's a martial art, you aren't capable of doing your job. In my experience, these people are often the most insufferable to work with and driven more by ego and power fantasy than the desire to tinker or craft.
Security is part of my "lifestyle" just as coding is. I work on security-related stuff outside of work not out of obligation to practice infosec kata, but because I actually like it. Some weeks I don't do anything outside of work other than browse /r/netsec or HN; some weeks (like this one) I'm writing some tools for myself to make a code audit easier.
I think it's true that most passionate people will engage with their field more than 40 hours per week, simply because it's a passion. But hell - some weeks that could mean reading a good novel on the topic, with no direct value to your work. I keep up to date on a bunch of aspects of computing and mathematics because they interest me, but that feels completely different from working long hours and 'training' constantly.
Turning "be interested in your work" into "put in 80 hours, train like you're in boot camp" seems like a silly way to act tough (and exclude people with families or hobbies from a field). Your point, actually caring about your field, seems much better.
I wouldn't automatically discount someone who put the OSCP on their resume, like I would the CISSP, CEH, and Security+. Any experience, even non-pentesting, would probably trump it though.
IMO that should be avoid current certification. Avoiding all certification for all eternity would imply that training decent pentesters/hackers is something that cannot be done in a controlled methodical way. Which would be a setback for the entire infosec industry, IMO, because I do think that such a thing (infosec is not a special snowflake) is possible.
I think OSCP is actually a big step in the right direction. The harder challenges in their training network force you (and encourage you) to deeply investigate the underlying security issue. That part of the training actually focuses on the underlying conditioning that you need to become a good pentester, as shown by their slogan 'try harder'.
It's the same thing that armies the world over do. The army also realized that knowing everything there's to know about tactics and how to operate a weapon is not enough, soldiers also need to be aggressive and need to be conditioned to be able to effectively engage an enemy. So there's training designed to increase a soldier's willingness to fire upon enemies when ordered to.
The same goes a bit for this training, where underlying simple technical guidance is provided at the start of the training, and later a trainee is left to themselves and pushed to investigate on their own, something that I'd recognize as one of the cornerstones of a successful hacker.
Still, I'd also avoid hiring a person for a technical position if all they can show is a CISM/CISP/w\e
I do like the ones that offer memory corruption/exploitation challenges, but those are few and far between.
So how do you get through HR wall? Padding CV with keywords is a common way to get an interview. I'm an embedded system engineer looking to move closer to IT security, so how do I get there without experience and certifications as virtually all jobs require one, another or both (except junior positions, but I'm too old to start from the very bottom)? I do learn a lot on my spare time, but you still need to get a chance to demonstrate your skills, which is impossible if your CV is discarded as "requirements are not met" (a.k.a not enough keywords on CV match the ones in job description).
A decent company will have your future colleagues heavily involved in the hiring process, and they'll know how to chat to you about security.
This elitism is not helpful. There are finite employers in the world, and many of them do screen based on keywords. That's reality. Applicants who are entering the job market might not always have the luxury of disregarding n% (where n most likely > 75) of their potential employers based on stuff like "oh well any real company wouldn't screen my resume..."
But chances are if someone is browsing HN they're at least genuinely engaged enough to do better than that. You're advocating for people to shoot for average, I'm suggesting to not settle.
From my perspective, I'm advocating that people don't inadvertently shoot themselves in the foot. They might not yet be qualified to work at Matasano or [insert top tier security shop here] : not everyone is.
Assuming someone isn't (yet) qualified to work with their dream employer, what do you suggest they do? "Don't settle" in that scenario sounds a lot like "be unemployed". I'm straight up saying it's better to build up skills at a job - even if that job isn't their endgame.
But I think in this case, the issue might be that rather than one job being the first step to the other, we're talking about two totally distinct tracks. If a company is sufficiently shoddy and certification-happy, it's possible that they don't even provide meaningful experience for someone seeking the top-tier options. You might be better served by hardening systems at some general software job than getting an entry-level security job and blindly throwing Nessus at client's systems.
Of course, but you still have to get to them first as no sane company makes their engineers to do 1st round CV screening (especially for publicly announced positions where tens or hundreds of CVs are applied). From my personal experience, technical interview with an engineer is usually only on 2nd/3rd round, so we are back to square 1. Yes, I know the best positions are filled through networking and recommendations, but that's not an option when you live outside of tech bubbles.
I started MicroCorruption and RE flummoxes me. I keep coming back to it because I can tell how weak I am and it has pissed me off for 2 years. Even in OSCP i get bent out of shape on my insufficiency there and never focus on other stuff.
I don't want to be a Metasploit jockey. Where to from here? Online CS courses in C and ASM work my way up? I don't have a degree in it.
You don't have to do RE to be in software security. There's virtually no assembly-level RE in web application security, and very little of it in mobile security. Both of those specialties are more lucrative than RE, a specialty where maybe the top 10% go to high-status RE and exploit dev careers, and the other 90% go to low-status malware analysis and SOC jobs.
My advice is to pick a technology stack you really like and get comfortable with it at a nuts and bolts level, and then build security expertise on top of that. Maybe that's iOS and Swift, or maybe it's web and Django, or maybe it's distributed databases. Pick something, get good, and then be a security expert for that thing.
Rather avoid certification if you just want to have 20 lines on your resume to look like a ninja and brag. I'm a hiring manager in infosec, and same deal if you brag about certs I start to tune out.
Why? Is that something that can hurt your abilities, or your employment prospects?
As for job prospects, generally certification won't get you into companies that are only looking for talent as opposed to a checklist of certifications (the former is usually where all of the really interesting work is done). So wasting time on a certification that won't help you is putting you behind people that don't waste their time with certifications.
> Certification in a field such as vulnerability research
OSCP is basically tool-based network pen testing with a bit of outdated websec and buffer overflows thrown into the mix. It's not "vulnerability research" in any meaningful sense of the word. They have some other certs (OSCE) that might purport to target that domain, but idk much about them.
> As for job prospects, generally certification won't get you into companies that are only looking for talent as opposed to a checklist of certifications
So apparently OSCP won't get you a job at Matasano - but they're not the only game in town, and a lot of other security shops with less name recognition and lower standards do in fact use the OSCP as a positive signal.
No, it won't be l33t but it will be a job that they can use to transition to those fancy schmancy companies whose founders are HN regulars.
So in that sense, they do care about OSCP.
lists OCSP and CISSP and a bunch of other certs.
So I guess they care about that.
Now, how about you name the pentesting firm that does not list any certs.
A lot of good employers know this, and put zero weight on certa. Or as tptacek mentioned, possibly even consider it a bad thing. If I see a CV with CEH, I go in with an open mind but aware it's probably going to go poorly. I'd rather see someone who bought a stack of books, wrote some vulnerable code to attack, asked for advice from people; demonstrated they could throw themselves in and make it up as they go along.
How about if they just had a job in Vb.net form a year and then worked other languages for five years.
I guess it's a very fine difference.
I think that's a fairly sweeping judgement to make, and not entirely accurate. I think it says more about your own experiences than those of network penetration testers.
You could equally cast the aspersion that red teamers are little more than Microsoft Office power users and occasional part-time domain admins and fall just as far outside of the mark.
The speciality is certainly demanding. The generalisation is not. The difference is that scan and scram artists and PCI scanners get lumped into the more general area associated with network penetration testing.
When done properly, network penetration testing is inherently valuable, not just from a security perspective but from a network discovery and debugging perspective.
I think your point on network testing (and indeed points 2 and 3), are shining examples of navel gazing within your own experience. Perhaps it's best not to belittle an entire subsection of the industry you spent so long in all at once, but to ask yourself why you believe this to be the case and wonder where you may have gone wrong in this assertion.
> 2. Don't get certificates
I am progressing through my CCNP and LPIC-1, mostly because I want to get recognized for my skills, but I also see them as a guideline, what to learn next, kind of like a ladder, maybe one day I will get to the top of the ladder and have no where to go, but for now I think that certifications lay a path for me, what do you think about that?
Is there something else ? ;)
Honestly without joking, as the OP said, having this as a passion or lifestyle is going to accelerate your proficiency compared to the others.
My feeling is that it's not an absolute prerequisite, just a tremendous accelerator.
I started "having a life" maybe 15 years after the beginning of my hacking passion ;) tho my wife would argue about that ;)
No. The author counted learning (perhaps including going to meetups and watching DefCon videos) in it.
> If people writing browser drive-by exploits can stay on top of their game with a 40 hour work-week, I think the netpen people can too.
He clearly stated he loves learning. The amount of stuff you can learn around every possible vulnerability is virtually unlimited.
I like to think of myself as a decent programmer, but I'm not well versed in software security (more of a hardware person). I've also never had a full-time job as I jumped straight from my BS to a PhD.
I'm considering taking some security-related courses next year and getting my MS. I have two options after that: 1) look for summer internships in the field of software security and see if I like it, or 2) look for full-time positions and withdraw from the program temporarily to test out the waters. The issue with 1) is that there are less intern positions available, at least based on what I've seen.
Am I approaching this correctly, or is there something else I could do? Any advice is appreciated!
Thanks for the advice :)
Not having any work experience means you'll go through "University Recruiting" (vs experienced hire) recruiting channels at any large company. This gives you tremendous freedom to explore a variety of careers as employers will only be able to judge you by your academic credentials and you won't be pigeon-holed by your professional experience. Use this to your advantage and explore as many careers & companies as possible.
Your internship will be your first professional anchor point so choose wisely - you may consider starting with a broader, more general software engineering experience before specializing to keep your options open.
I googled, but I didn't manage to find out what "netpen" is. Network Penetration? I'd assume that virtually all relevant security stuff is network related these days so I'm still confused. Which are the other specialties and why are they more demanding?
Pentesting itself can be quite a broad field, and although you’re right about a lot of it being network-related, it typically gets split into categories depending on the exact type of pentest (e.g. application penetration testing, wireless pentesting, embedded devices, SCADA/OT systems).
You could get into a debate on which areas are more demanding, but as you get deeper, they do require different skill sets/specialities/ways of thinking. Someone who’s great at web app pentesting may not necessarily be fantastic at RE or social engineering.
Compare that to say, cryptography or code review, which typically require fairly deep specific knowledge and a lot of intense focus, as opposed to broader knowledge and a willingness to try a lot of different things.
Most findings in netpen reports I see are basically that something wasn't configured correctly, or that one of the 10k employees had a weak password, or someone got phished. I often chuckle but rarely am surprised or learn too many new things.
I squandered away my 20's and 30's on 80-hour work weeks. It was never expected of me, I just loved my job and did it anyway. Yes, there have been benefits, but today I feel I lost more than I gained.
At the time I would've dismissed you and your comment as you do OP's. Life just isn't that black and white.
Working at your job 80 hours a week = a waste. Always.
HOWEVER, spending 40 hours a week engaged with something you enjoy and are interested in is a perfectly fine way to spend your time.
But what, I hear you ask, if I enjoy my job? Well, what about the job do you enjoy? See, if it's the work, chances are you can freelance, self-study, build stuff for yourself, in the same field, and get the same impact, AND you're free to do it how you want, free to learn whatever lessons you want, AND to capture any value it may add for yourself, rather than giving it to your employer.
This person is spending their time learning. I.e., investing in themselves. I disagree with their statement that that's required for their job, but it -does- likely make them better at their job than they'd otherwise be, and so long as they enjoy it, I can't find fault with it. But it shouldn't be a burden.
Well, the best way to negate that advice is to put out your own and show that someone can achieve the same with a much lesser workload. Any other argument is simply an opinion. I certainly don't want to work 80 hours a week, even if I know that I can get a lot more done in that time. However, depending on what it is you're trying to do, putting in 80 hour weeks might be perfectly appropriate. If you want to be simply the best in the world in anything, you simply have to put in a LOT of work. I'm not saying its 80 hours or 56 hours, but yeah, if being average or good-enough is OK, then work-life balance is very achievable.
To me this was money well spent.
thanks for sharing.
Edit: To expand on the cert topic... if you want to do computer forensics for law offices, police departments, etc. You'll need a technical cert (GCFA, etc.). And having a CS/EE/CE degree won't hurt either. You'll have to have a cert to do serious forensic work.
I know far more people that moved from Security to development than the other way around. Security work has become less pioneering and more routine. The fun part of security is learning, not work.
The demand for developers increased faster than infosec and so did salaries.
Also the article was a great read. Pinning it to go over again on the weekend as my lunch is now over.
When interviewing for my current company, my first full-time job, I was given a vulnerable web application which they used to assess whether I could do the job (next to a regular interview). I aced this hack test, but due to it being my first full-time job they still scaled me in as a junior.
Overall, if you know your thing, you can just go and interview with companies that do security. Specifics, such as a workflow when performing a security assessment, are specific to a company anyway. With some semi-related work experience (many colleagues have a programming background) you should be able to come in above junior too.
As for where to get the skills: hack something. My study gave me dedicated time to spend on it, but even in high school I was writing code, sharing it with others, and we had fun poking around each other's applications security-wise. That's how I truly learned: doing.
Which I've dabbled in, and haven't gotten further than what I already know from my CS education, but the consensus seems to be it's a good book to learn from.
Is blue better than black?
Do red pens last longer?
Red/white may not know how bad and hostile reality is.
Ps: no, there's no comment about ethnicity in this comment.