Interesting, I know one programmer who worked in the SA defence industry, and was later retrenched, but that's just anecdotal. Do you have a source for this assertion?
Other firms not in defence also mostly have fixed features / cost contracts they are developing for, which fits the waterfall model of development.
I have to disagree with this, but since the "waterfall"-versus-agile debate has been done to death before, I won't rehash it here.
University coursework always lags industry best practices, so this isn't really surprising.
This is an honours degree from a brick-and-mortar university, so the curriculum lag argument is a bit weak. I understand that an undergraduate degree being taught to hundreds of students may take some time to be updated, but at post-graduate level, I would expect a bit less dogmatism. Come to think of it, during my undergraduate studies, about 10 years ago we learned about agile methodologies and iterative development.
Now I was careful to state that it is the case with businesses requiring degreed engineers. Web development shops in SA probably follows a more agile approach, the only one I know of, Entelect for instance is fully agile as far as I can tell, but I don't really know anybody there.
It could also be that only me and my network is experiencing this, it is all anecdotal, but then again, I doubt there is some kind of study that can give you a better picture.
I am based in Centurion in case you were wondering.
Also its not about if Waterfall / Agile is best, its because the contracts are generally setup with fixed deliverables, which suits waterfall best.
Lastly even with honours degrees the curriculum is set, and the professors aren't too keen on changing it too often.
Back in the day I got a recognition award for two projects in a row first was a classic waterfall project (a management system for the Uk's SMDS network) the next was full on RAD/DSDM (early web development).
"The first formal description of the waterfall model is often cited as a 1970 article by Winston W. Royce, although Royce did not use the term "waterfall" in this article. Royce presented this model as an example of a flawed, non-working model."
SMDS/ATM was fairly new at the time our system was designed to manage the kit in the exchanges so that you didn't have some one accidentally shutdown the entire janet university network.
I recently spent a year working for a university in the states. one of the guys in the institute teaches cs too. he was completely incapable of not only doing, but also accepting anything remotely common sense for anyone who's ever built a web project after 2008, while at the same time patronizing every one else.
if you don't feel like writing some cs papers you're better off studying pretty much anything else and learning computer programming and computer science on the side. if you're really good at programming chances are studying cs might result in you losing interest in the topic.
How can you truly understand a buffer overflow attack without having some knowledge about pointers? Kudos to taking the time to try to understand as much as you can about your field.
You can't expect to be competent at information security / computer security without being at least decent at programming. There are many different kinds of concentrations, like application security (which could be native code or web apps or both), network security/defense, penetration testing, forensics, etc.
Programming can play a big role in all of those, though. Everyone should have a good fundamental understanding of assembly and C, good knowledge of at least one scripting language, and an ability to write and test web applications. Else you're either doing some really specialized work, or more likely, you're a beginner and/or incompetent.
In the posting you could probably replace "Computer Security" with any other vocationally targeted course. So let's pick "Competitive Baking". Baking is hard (seriously, try it yourself), you need to achieve consistency, be meticulous with picking the ingredients and develop a reliable process. Nobody is just going to give you the recipe so you can say "I'm the best" (apologies to Peach).
Specialized, "getting you ready for the industry" courses developed and taught by an academic isn't going to make anyone satisfied or achieve excellence. The academic probably hasn't worked in the industry (in the USA they've probably spent lots of their time trying to get tenure) and, when developing the course, was just projecting what they thought a "real job" would entail. Most academics will not have the experience to do that. This is alluded to in the blog entry (point 2.) where programming was required for an internship. The tone suggests that this was a "surprise".
In the real, non "Ivory Tower" world of computer security, programming is required. Computer security requires creating new or changing existing programs.
If you are just coming out of college, hiring managers are looking for what you can do in the future. Experience is something someone can bring to the table NOW, college grads are unlikely to have that experience. So, if you have a broad and comprehensive understanding of the fundamentals; all the hard theoretical computer science things, you will have an outstanding base from which to build on.
The other path to a job is by savants who get their skills by doing (and demonstrating) and figuring it out themselves. Savants are rare.
In the end, it is all about what you add to the frosting on the cake. (see baking above. The cake is not a lie).
Security is actually one of the few fields where I think you see a really interesting mix of theoretical and applied CS. Things like complexity theory, formal program analysis, etc pop up quite often.
I personally went for my Master degree because I really didn't feel like I'd found a purpose to my CS degree. I KNEW programming, but had nothing driving me. After grad school and a startup, I now know my interests are embedded systems and image manipulation.
My main undergrad was actually originally BioChem, which I flipped over to straight Chemistry and added Computer Engineering because it was easy. I never worked in the Chemistry field. I threw in Lit and Politics classes (upper div/grad level) just to meet and discuss different topics with different groups of people.
All too often if you pick an impacted degree, need to take lots of the same classes with the same people, and are spending all your time on that subject you will miss out.
By the time you graduate, most of the things you learned are obsolete. My advice is to grok the fundamentals, the concepts that don't change. Then absolutely learn to use Google.
Network and hierarchical (now called "NoSQL") DBs, the problems they caused and why they were replaced with Relational DBs.
Functional programming with a derivative of Haskell called Gofer
Parallel and distributed computing techniques (including stuff like SIMD, Message queues, Event driven programming). Wrote some Erlang.
I went to college in the late 90s through early 2000 and we were taught (introduced would be more accurate) Pascal, C++ and Visual Basic. When I graduated, the language in demand was PHP.
As to the invention of a language being relevant, it's only relevant depending on how you define a previous language as being "obsolete." I was trying to play devil's advocate with my own point, and concede there may have been times in history when a lot was made obsolete during a 4 year period. The industry isn't really any swifter than academia though, which is why we still use 20 year old languages.
I think that later they teach you in C++ and Java at least...
I understand that you should use the right tool for the job (in this case teaching) but the basic concepts(and in general most difficult to get, because you dont know anything, not because the concepts are really that difficult) are almost the same on all languages
That is what a Computer Science degree should be teaching - not the latest programming language and/or revision control system.
A CS degree makes a pretty poor introduction to software development in the same way that a physics degree makes a pretty poor introduction to bricklaying.
I've been reading a lot and managed to complete a couple of those exploitation wargames and hack some web apps but am in a completely different domain.
Security people who are coders is a sweet spot.
Beyond that add in a bit of system administration knowledge e.g. in-depth knowledge of operating systems and networking, and you have everything you need to break many many systems!
Risks Digest is a good, low volume, high signal to noise place to just soak in the idea of systems break (both accidentally and by malice).
I've spent the bulk of my career doing application security work, so I have less advice to give about other aspects of infosec (which like the article says, really is a large field).
But, (and this is fairly generic advice, received from a disembodied pseudonym on the internet) you can do a lot worse than just picking up a copy of the Web Application Hacker's Handbook, download the free version of Burp suite, set up a VM and install some old versions of popular CMS's (or bulletin boards).
EDIT: Here's an old comment by tptacek that recommends something similar for starting out (so at least two people recommend this): http://news.ycombinator.com/item?id=5266939
I don't find a lot of value in CTF's (again, other people obviously feel differently), and I disagree with the other person who recommended you go to Blackhat.
Security conferences can be great, but I wouldn't go to Blackhat as your first (I actually wouldn't go to Blackhat unless your work was sending you, or you're speaking there). You can't throw a rock without hitting ten security conferences nowadays, so I'd start with ones more local to you (which will have the added benefit of having attendees who are also more likely to be local to you).
Based on your HN profile, it looks like you might live in Austin? If so, there are plenty of companies hiring security folks (actually, almost everywhere there is a crazy unmeetable demand for security professionals).
If you're a developer, you've already got an advantage over 95% of the people working in Infosec. That sounds like an exaggeration, but people seem to have a hard time understanding the disconnect from the relatively small "hacker" community and the much much larger corporate world where "senior pen testers" don't know how to do anything above and beyond kicking off a network scan.
I'd like to think that the appsec world is a little more advanced, but I think that's just me rationalizing. The bulk of people doing corporate appsec work (by which I mean consulting) are just running WebInspect (or something equivalent). That's why if you spend any time in the infosec community, you'll hear countless tales about how difficult it is to hire good people.
If you have any specific questions, or just want any advice, feel free to email me (my email is in my HN profile).
I've just finished my B. Sc. and I wish I had understood this before. I wasn't an straight A's student, but I definitely could have spent more time socializing.
It's great to have some courses in various parts of computer security, but being a good developer is a better entre into appsec, and being a good CSE and thus going into networking (ideally, through a combination of vendor training and hands-on; it's more an ops thing than a pure architecture thing) is a better way into netsec. EE for hardware security. etc.
I don't actually know of any non-crappy schools with a "security degree".
The three of us learned more from trying to follow the class notes and figuring out our way past the breakages than from the actual structure of the class itself.
The fundamentals should barely change from version to version (indeed: many command line tools under UNIX are decades old - which - of course - does not mean that they are bad). So if you learn them with the previous version, it should be really easy to get the small differences to the current version.
They are out there, and it's nearly impossible to get them to understand why they remain in entry-level positions for so long.
The example that immediately springs to mind is a low-level CND position. Sure, the ability to program would make you a better CND analyst, but we have already agreed on that.
And they don't understand, no matter how many times they are told, that you have to know how an attack is executed in order to defend against it.
I guess the social interactions and the emotions about being attacked contribute to a higher than average stress level. The emotions will be heightened by stakeholders in your organization who look and behave a lot more likely to knock you out or do some other harm to you.
In particular, internships! I've learned the hard way that these are very important. Don't plan on having summer vacations free to do things, that's a thing of the past.
The real money is in Management, and the girls are cuter in the business classes. (Please don't flame me I know there are plenty of cute girls in CS, there were 3 girls in my class of 600. So they were there but they were too far away to tell if they were cute)
Honestly I just felt sorry for the poor gal, she always seemed very embarrassed being the only girl in the class, as if she made the wrong choice by being there or something.
It often made me wonder, should school administration be actively thinking of the social dynamics that play out with this kind of imbalance? You're going to have a few frustrated boys in a situation like this... and a few exhausted gals (they have to say 'no' often). What do you do, if you're in that hot seat. Do you worry about these things, or do you keep trying to admit new students purely on a merit basis?
What's interesting at my school is that there are more girls even in Electrical Engineering than in CS.
So this means that CS truly has the most messed up girl/guy ratio probably out of ANY major at my school (it's a huge state school too)
As a guy it's frustrating because it creates a barrier to easily meeting girls in your major, an advantage that many other people have. I can rarely work on my school assignments with girls, or talk about common classes with girls, or anything similar to that kind of interaction that should exist within each major.
Sure, I'll make 6 figures guaranteed when I graduate, but at what cost? I really do love what I do though so the passion for that encompasses all. Yet at the same time it'd be foolish to ignore issues like this and pretend they're not a problem, because they definitely are.
Computer Science and Computer Engineering sadly end up being viewed in the same light for boys as Nursing is for girls. That is, there is a long standing cultural notion in the United States that girls are supposed to be nurses and boys are not, despite how silly that all seems. It's even more perplexing, since many of the early computer scientists were women, just as many of the nurses starting in the 19th century were founders of their modern profession (with the Crimean War and the American Civil War).
Institutions may try to shape and encourage change, but it comes down to the parents understanding that roles and jobs should be independent of one's gender and reinforcing that notion in their children. Especially in the United States where parents play a large role in the intended degree of their children because they are generally expected to help pay for part of the tuition. A school may suggest a degree for a student, but in the end, a parent may be the larger factor in a student's degree choice.
One possible cause may be the traditional nerd stigma that afflicts CS. In recent years it's broadened up, though ironically now there's a small fratty brogrammer subculture in CS. (Though not in academia, I feel, but in the startup industry that follows.)
I do consider Bio and Medicine to be hard sciences and you are correct the gender imbalance is significantly less than some other science fields. However, it seems to be more acceptable in American Culture for parents to accept their daughters going into those types of degrees perhaps due to the relation to traditional career paths women have gone into (such as nursing). If that's true, it's rather sad and hopefully such preconceived notions die out in the near future.
I'm curious though as to how many female students end up going into Computer Science or Engineering because a family member or parent was in one of those fields. I have a few female friends either pursuing or have obtained a degree in Computer Science and each had at least one parent that was in a related field.
Line Dancing Class was the opposite, 62 Girls 5 guys. Two of the guys were a couple. 1 of the guys was married to one of the girls.
I would have gone in to line dancing as a career but I don't really like the music, and I'm not sure how much money there is in it.