Hacker News new | comments | show | ask | jobs | submit login
What I Wish I Knew Before Studying Computer Security in College (matthewdfuller.com)
92 points by cddotdotslash 1450 days ago | hide | past | web | 56 comments | favorite

Another thing to know is that computer science != computer programming. In some cases, students can get through four years without becoming really proficient in any one language, and can largely escape things like version control systems. It's probably going to be up to you to learn those things on your own.

And when computer science academics try to do programming, they often get it wrong. Having been academically sucessful during my undergraduate degree, but sidetracked by my career, I was recently looking at a prospectus for a one year post-graduate (honours) degree from a South African university, and, although their coursework seemed appealing, they have a strictly waterfall-based year project. They go to some lengths to justify their position (presumably they have been challenged on this) by claiming it conforms to a British Computer Society model. I doubt many programmers who have done real-world programming give a rat's ass about methodology prescriptions by the British Computer Society, but those who pursue the degree grit their teeth and bear it, or are put off, and don't bother pursuing it. I fall into the latter group. If many more prospective students with real-world experience share my opinion, all it does is isolate the academics and prevents them from learning more about the real world.

University coursework always lags industry best practices, so this isn't really surprising. Furthermore, the South African industry requiring degree'd software engineers almost all still follow a strictly waterfall process, being mostly the defence industry following DO-178 processes. Other firms not in defence also mostly have fixed features / cost contracts they are developing for, which fits the waterfall model of development.

Furthermore, the South African industry requiring degree'd software engineers almost all still follow a strictly waterfall process, being mostly the defence industry following DO-178 processes

Interesting, I know one programmer who worked in the SA defence industry, and was later retrenched, but that's just anecdotal. Do you have a source for this assertion?

Other firms not in defence also mostly have fixed features / cost contracts they are developing for, which fits the waterfall model of development.

I have to disagree with this, but since the "waterfall"-versus-agile debate has been done to death before, I won't rehash it here.

University coursework always lags industry best practices, so this isn't really surprising.

This is an honours degree from a brick-and-mortar university, so the curriculum lag argument is a bit weak. I understand that an undergraduate degree being taught to hundreds of students may take some time to be updated, but at post-graduate level, I would expect a bit less dogmatism. Come to think of it, during my undergraduate studies, about 10 years ago we learned about agile methodologies and iterative development.

No I have no source, only my own experiences. I have a couple of friends / colleagues / class mates working in various sectors of the industry. Saab, Denel, Armscor represents my comments on the DO-178 work. Saab actually implements scrum, but from my understanding it is more like scrum bolted on to waterfall :D. I have also been in a couple of interviews lately, specifically at ATE / Paragon, C-Track, Grintek and RapidM. All basically have the same Waterfall methodology.

Now I was careful to state that it is the case with businesses requiring degreed engineers. Web development shops in SA probably follows a more agile approach, the only one I know of, Entelect for instance is fully agile as far as I can tell, but I don't really know anybody there.

It could also be that only me and my network is experiencing this, it is all anecdotal, but then again, I doubt there is some kind of study that can give you a better picture.

I am based in Centurion in case you were wondering.

Also its not about if Waterfall / Agile is best, its because the contracts are generally setup with fixed deliverables, which suits waterfall best.

Lastly even with honours degrees the curriculum is set, and the professors aren't too keen on changing it too often.

Waterfall is a perfectly valid method of developing software I woudl hope that a degree program woudl cover a number of models of software development.

Back in the day I got a recognition award for two projects in a row first was a classic waterfall project (a management system for the Uk's SMDS network) the next was full on RAD/DSDM (early web development).

Can you elaborate what you mean by waterfall? Did you have a prototype? I am confused because to my knowledge it has only ever been described as a way not to do things.

"The first formal description of the waterfall model is often cited as a 1970 article by Winston W. Royce,[4][5] although Royce did not use the term "waterfall" in this article. Royce presented this model as an example of a flawed, non-working model."


Actually it was BT's own ISO 9000 based system we spent about 7/8 months on the design/spec stage then 2 of us plus an oracle contractor did the development in a 12 week sprint - so it was a sort of hybrid approach.

SMDS/ATM was fairly new at the time our system was designed to manage the kit in the exchanges so that you didn't have some one accidentally shutdown the entire janet university network.

personally i kind of regret having studied anything close to computer science.

I recently spent a year working for a university in the states. one of the guys in the institute teaches cs too. he was completely incapable of not only doing, but also accepting anything remotely common sense for anyone who's ever built a web project after 2008, while at the same time patronizing every one else.

if you don't feel like writing some cs papers you're better off studying pretty much anything else and learning computer programming and computer science on the side. if you're really good at programming chances are studying cs might result in you losing interest in the topic.

I think learning Computer Security without learning some programming and systems is like majoring in mechanical engineering while trying to avoid physics - it's hard to get a deep level of understanding and you rely on generalizations and abstractions.

How can you truly understand a buffer overflow attack without having some knowledge about pointers? Kudos to taking the time to try to understand as much as you can about your field.

Completely agreed.

You can't expect to be competent at information security / computer security without being at least decent at programming. There are many different kinds of concentrations, like application security (which could be native code or web apps or both), network security/defense, penetration testing, forensics, etc.

Programming can play a big role in all of those, though. Everyone should have a good fundamental understanding of assembly and C, good knowledge of at least one scripting language, and an ability to write and test web applications. Else you're either doing some really specialized work, or more likely, you're a beginner and/or incompetent.

Absolutely. I think your example puts this more eloquently than my point. Having the deep understanding and background is really critical. Everything else can be added on top and as you go while in the field.

As a, possibly self proclaimed, security expert I'm not particularly impressed with the blog posting. Why? The premise is that Computer Security is a pinnacle and now the protagonist is looking back, it looks a bit lame and has a feeling of being duped!

In the posting you could probably replace "Computer Security" with any other vocationally targeted course. So let's pick "Competitive Baking". Baking is hard (seriously, try it yourself), you need to achieve consistency, be meticulous with picking the ingredients and develop a reliable process. Nobody is just going to give you the recipe so you can say "I'm the best" (apologies to Peach).

Specialized, "getting you ready for the industry" courses developed and taught by an academic isn't going to make anyone satisfied or achieve excellence. The academic probably hasn't worked in the industry (in the USA they've probably spent lots of their time trying to get tenure) and, when developing the course, was just projecting what they thought a "real job" would entail. Most academics will not have the experience to do that. This is alluded to in the blog entry (point 2.) where programming was required for an internship. The tone suggests that this was a "surprise".

In the real, non "Ivory Tower" world of computer security, programming is required. Computer security requires creating new or changing existing programs.

If you are just coming out of college, hiring managers are looking for what you can do in the future. Experience is something someone can bring to the table NOW, college grads are unlikely to have that experience. So, if you have a broad and comprehensive understanding of the fundamentals; all the hard theoretical computer science things, you will have an outstanding base from which to build on.

The other path to a job is by savants who get their skills by doing (and demonstrating) and figuring it out themselves. Savants are rare.

In the end, it is all about what you add to the frosting on the cake. (see baking above. The cake is not a lie).

2 is particularly relevant and more than solid grasp of CS is required depending on what you choose to do within the field. Malware Analysis for example can require understanding data structures, calling conventions, x86, compiler internals, etc.

Security is actually one of the few fields where I think you see a really interesting mix of theoretical and applied CS. Things like complexity theory, formal program analysis, etc pop up quite often.

The biggest suggestion I can give to students in CS is to find a focus (like this link was Security). Without that, after graduating with your Bachelor degree, you won't have a specific interest. If its academic and you're really interested in neural networks, awesome, latch onto a professor with that focus and never let go; if its more outside the box like audio manipulation (as one of my colleagues did), go crazy and join a community with that focus.

I personally went for my Master degree because I really didn't feel like I'd found a purpose to my CS degree. I KNEW programming, but had nothing driving me. After grad school and a startup, I now know my interests are embedded systems and image manipulation.

I'd just add take a few classes outside your chosen field (and required courses) in an area of secondary interest. You get acquainted with different people, get a different perspective, etc.

My main undergrad was actually originally BioChem, which I flipped over to straight Chemistry and added Computer Engineering because it was easy. I never worked in the Chemistry field. I threw in Lit and Politics classes (upper div/grad level) just to meet and discuss different topics with different groups of people.

All too often if you pick an impacted degree, need to take lots of the same classes with the same people, and are spending all your time on that subject you will miss out.

I almost suggest having a different interest and taking CS courses to compliment it. CS is generic enough that without something else that you can use it on, it seems pretty bland.

I agree. Having a concentration in a subfield (Distributed Systems, AI, Security, etc) gives you the ability to read papers (both classics and new research) in that field and have the ability to stay current with new ideas & techniques.

> The rate at which technology is changing is absolutely insane.

By the time you graduate, most of the things you learned are obsolete. My advice is to grok the fundamentals, the concepts that don't change. Then absolutely learn to use Google.

The obsolete stuff I studied at university almost 20 years ago:

Network and hierarchical (now called "NoSQL") DBs, the problems they caused and why they were replaced with Relational DBs.

Functional programming with a derivative of Haskell called Gofer

Parallel and distributed computing techniques (including stuff like SIMD, Message queues, Event driven programming). Wrote some Erlang.

I hear this a lot, but it seems like the most commonly used languages are all around 20 years old (with C, C++ being even older).

I suppose if you went to college in the mid-90s this may be true since you would have seen the invention of Java, JavaScript, and Ruby.

I can't see why seeing the invention of a language is significant in this respect. Schools are worse at keeping up their curricula with new technology (at least where I live), so if a language were invented while you're in college, I don't think that language will be taught while you're there.

I went to college in the late 90s through early 2000 and we were taught (introduced would be more accurate) Pascal, C++ and Visual Basic. When I graduated, the language in demand was PHP.

I think in the late 90s / early 2000s the big language to teach in university was Java, which is still basically true today.

As to the invention of a language being relevant, it's only relevant depending on how you define a previous language as being "obsolete." I was trying to play devil's advocate with my own point, and concede there may have been times in history when a lot was made obsolete during a 4 year period. The industry isn't really any swifter than academia though, which is why we still use 20 year old languages.

Its 2013 and in my university, the first programming courses are taught on pascal and modula2.

I think that later they teach you in C++ and Java at least...

I understand that you should use the right tool for the job (in this case teaching) but the basic concepts(and in general most difficult to get, because you dont know anything, not because the concepts are really that difficult) are almost the same on all languages

"My advice is to grok the fundamentals, the concepts that don't change."

That is what a Computer Science degree should be teaching - not the latest programming language and/or revision control system.

A CS degree makes a pretty poor introduction to software development in the same way that a physics degree makes a pretty poor introduction to bricklaying.

How can a working developer transition to security? Just apply to 'security' jobs?

I've been reading a lot and managed to complete a couple of those exploitation wargames and hack some web apps but am in a completely different domain.

Go to blackhat and network.

Security people who are coders is a sweet spot.

In my opinion, the most helpful text for transitioning from development to security would be:


Beyond that add in a bit of system administration knowledge e.g. in-depth knowledge of operating systems and networking, and you have everything you need to break many many systems!

Learn to see how things break. Most developers have a vision of how things should work. Good security developers have a vision of how things are brittle.

Risks Digest is a good, low volume, high signal to noise place to just soak in the idea of systems break (both accidentally and by malice).


It really depends on what type of security you want to be involved with. If you're interested in appsec (which I think is infinitely more interesting than network security, but obviously, other's opinions will differ), then web security is a good place to start.

I've spent the bulk of my career doing application security work, so I have less advice to give about other aspects of infosec (which like the article says, really is a large field).

But, (and this is fairly generic advice, received from a disembodied pseudonym on the internet) you can do a lot worse than just picking up a copy of the Web Application Hacker's Handbook, download the free version of Burp suite, set up a VM and install some old versions of popular CMS's (or bulletin boards).

EDIT: Here's an old comment by tptacek that recommends something similar for starting out (so at least two people recommend this): http://news.ycombinator.com/item?id=5266939

I don't find a lot of value in CTF's (again, other people obviously feel differently), and I disagree with the other person who recommended you go to Blackhat.

Security conferences can be great, but I wouldn't go to Blackhat as your first (I actually wouldn't go to Blackhat unless your work was sending you, or you're speaking there). You can't throw a rock without hitting ten security conferences nowadays, so I'd start with ones more local to you (which will have the added benefit of having attendees who are also more likely to be local to you).

Based on your HN profile, it looks like you might live in Austin? If so, there are plenty of companies hiring security folks (actually, almost everywhere there is a crazy unmeetable demand for security professionals).

If you're a developer, you've already got an advantage over 95% of the people working in Infosec. That sounds like an exaggeration, but people seem to have a hard time understanding the disconnect from the relatively small "hacker" community and the much much larger corporate world where "senior pen testers" don't know how to do anything above and beyond kicking off a network scan.

I'd like to think that the appsec world is a little more advanced, but I think that's just me rationalizing. The bulk of people doing corporate appsec work (by which I mean consulting) are just running WebInspect (or something equivalent). That's why if you spend any time in the infosec community, you'll hear countless tales about how difficult it is to hire good people.

If you have any specific questions, or just want any advice, feel free to email me (my email is in my HN profile).

You could do all the Matasano crypto-challenges, for a start.

#5 will never go out of fashion. Lots of technology changes quickly, but being able to communicate with your peers and stakeholders (the people writing the checks) is a key skill that you will use for the rest of your life

"While coursework is certainly important, there is so much more to experience in college than just going to class and returning home. Take advantage of the discounts and offers you get as a college student (including many security conferences). You have just about four years to shape the rest of your life; remember to shape it evenly."

I've just finished my B. Sc. and I wish I had understood this before. I wasn't an straight A's student, but I definitely could have spent more time socializing.

The idea of a "computer security undergrad degree" is pretty silly; I'd expect it of a 2-year for-profit school like DeVry or maybe University of Phoenix, not a real 4-year school.

It's great to have some courses in various parts of computer security, but being a good developer is a better entre into appsec, and being a good CSE and thus going into networking (ideally, through a combination of vendor training and hands-on; it's more an ops thing than a pure architecture thing) is a better way into netsec. EE for hardware security. etc.

I don't actually know of any non-crappy schools with a "security degree".

I was wondering what a 'degree in computer networking' consisted off. Entry level Cisco and Microsoft certs and then sending you on your way?

On #6, I remember doing an evening 'sysadmin' course many years ago with some friends. The class notes were for the previous major release of BSD than the one we were using, and the instructor was useless. When asked about a problem, he'd just stand there going 'hrm' until you figured it out.

The three of us learned more from trying to follow the class notes and figuring out our way past the breakages than from the actual structure of the class itself.

> The class notes were for the previous major release of BSD than the one we were using

The fundamentals should barely change from version to version (indeed: many command line tools under UNIX are decades old - which - of course - does not mean that they are bad). So if you learn them with the previous version, it should be really easy to get the small differences to the current version.

I can't really imagine anyone actually believing #2.

I can't imagine the existence of a security professional who hasn't already met someone who does.

They are out there, and it's nearly impossible to get them to understand why they remain in entry-level positions for so long.

They don't get that to break programs, you have to know how to make them? While I'm here, what do you do in an "entry-level security" position that isn't programming, anyway? Firewall configuration?

As the article stated, the field of security is huge. According to NIST, there are over 40 sub-specialties.

The example that immediately springs to mind is a low-level CND position. Sure, the ability to program would make you a better CND analyst, but we have already agreed on that.

And they don't understand, no matter how many times they are told, that you have to know how an attack is executed in order to defend against it.

Just come to a college campus during the time of year when potential students are visiting. You'll quickly see how many of them are all about "hacking" without any interest whatsoever in any other concepts that encompass computer science, programming, or other fundamentals.

#12 Don't hook your computers to the internet.

I am taking the computer security classes from coursera, which are pretty interesting and well taught. Strikingly however, almost all of the people visible in the videos have a really high BMI and seem more stressed than I would expect. I wonder if computer security is one of those fields with extremely high stress levels...

"An intruder only has to find one way in, you have to find all the ways in."

Yes, but he's not going to break into your office and knock you out...

I guess the social interactions and the emotions about being attacked contribute to a higher than average stress level. The emotions will be heightened by stakeholders in your organization who look and behave a lot more likely to knock you out or do some other harm to you.

I'm pretty sure that all of these points still apply if you substitute "computer security" with any other sub-field of computer science.

In particular, internships! I've learned the hard way that these are very important. Don't plan on having summer vacations free to do things, that's a thing of the past.

I know what I wish I had known before taking my first CS Class.

The real money is in Management, and the girls are cuter in the business classes. (Please don't flame me I know there are plenty of cute girls in CS, there were 3 girls in my class of 600. So they were there but they were too far away to tell if they were cute)

3 out of 600? Damn. Slim pickings, aye?

In my computer engineering class of 250 students, there was only one girl (the class of one year prior had 0 girls) - and this was after aggressive affirmative action programs to attract more girls.

Honestly I just felt sorry for the poor gal, she always seemed very embarrassed being the only girl in the class, as if she made the wrong choice by being there or something.

It often made me wonder, should school administration be actively thinking of the social dynamics that play out with this kind of imbalance? You're going to have a few frustrated boys in a situation like this... and a few exhausted gals (they have to say 'no' often). What do you do, if you're in that hot seat. Do you worry about these things, or do you keep trying to admit new students purely on a merit basis?

I agree it's a very tough situation for everyone involved, and there seems to be no good short term solution to this issue. The only thing that can be done is to create long term interest in Computer Science among girls and to support the decision of those girls who've already decided to try CS.

What's interesting at my school is that there are more girls even in Electrical Engineering than in CS.

So this means that CS truly has the most messed up girl/guy ratio probably out of ANY major at my school (it's a huge state school too)

As a guy it's frustrating because it creates a barrier to easily meeting girls in your major, an advantage that many other people have. I can rarely work on my school assignments with girls, or talk about common classes with girls, or anything similar to that kind of interaction that should exist within each major.

Sure, I'll make 6 figures guaranteed when I graduate, but at what cost? I really do love what I do though so the passion for that encompasses all. Yet at the same time it'd be foolish to ignore issues like this and pretend they're not a problem, because they definitely are.

Though we're getting pretty meta from the main topic, I think part of the problem are parents that don't encourage their daughters to go into hard sciences and engineering more. Until parents abandon some of the long held stereotypes of roles and jobs that boys and girls should have when they grow up (as well as the type of toys they should play with), it's going to be a struggle to find more of a balance in many of the hard science degree programs and careers.

Computer Science and Computer Engineering sadly end up being viewed in the same light for boys as Nursing is for girls. That is, there is a long standing cultural notion in the United States that girls are supposed to be nurses and boys are not, despite how silly that all seems. It's even more perplexing, since many of the early computer scientists were women, just as many of the nurses starting in the 19th century were founders of their modern profession (with the Crimean War and the American Civil War).

Institutions may try to shape and encourage change, but it comes down to the parents understanding that roles and jobs should be independent of one's gender and reinforcing that notion in their children. Especially in the United States where parents play a large role in the intended degree of their children because they are generally expected to help pay for part of the tuition. A school may suggest a degree for a student, but in the end, a parent may be the larger factor in a student's degree choice.

That's not entirely true, as there are plenty of women in the life sciences (unless we were to spark an internecine war within STEM by claiming that bio and medicine aren't the hard sciences). Anecdata seems to show that there are also more women in physics, math, and other engineering such as civil or even mechanical and electrical than there are in CS.

One possible cause may be the traditional nerd stigma that afflicts CS. In recent years it's broadened up, though ironically now there's a small fratty brogrammer subculture in CS. (Though not in academia, I feel, but in the startup industry that follows.)

I know there's more, but the numbers are still far from even in many hard science & engineering degrees. I started out in Civil Engineering and even there, the ratio of guys to girls was scarcely better than when I transferred to Computer Science (this was in the few degree specific courses I took as well).

I do consider Bio and Medicine to be hard sciences and you are correct the gender imbalance is significantly less than some other science fields. However, it seems to be more acceptable in American Culture for parents to accept their daughters going into those types of degrees perhaps due to the relation to traditional career paths women have gone into (such as nursing). If that's true, it's rather sad and hopefully such preconceived notions die out in the near future.

I'm curious though as to how many female students end up going into Computer Science or Engineering because a family member or parent was in one of those fields. I have a few female friends either pursuing or have obtained a degree in Computer Science and each had at least one parent that was in a related field.

Good point. By being the only gender type in the class I could see it being hard to even want to stay in there in general.

Michigan State 1997. 3 might have been an exaggeration but not by much. The Lab instructor was female, and there were maybe 12 at the start of the semester, but a few dropped, and on any given day only 75% attendance so it sure felt like there were none.

Line Dancing Class was the opposite, 62 Girls 5 guys. Two of the guys were a couple. 1 of the guys was married to one of the girls.

I would have gone in to line dancing as a career but I don't really like the music, and I'm not sure how much money there is in it.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact