[leoscuro]

Articles like this one frustrate me.

I'm 30, and am essentially starting life over after finishing my military enlistment a couple years ago. all the experience of setting up shops and drafting reports meant nothing with out a degree. So I start working on my degree, and I am absolutely miserable. My love of learning was sucked out of me because I wasn't learning: I was working towards an extra line on my resume.

Right now, I am in a jr. sysadmin position making minimum wage, but I was selected for a SANS scholarship where they pay for your GSEC, GCIH, and one elective cert. My friend bought me a decent laptop, so I could experiment on virtual machines. Another registered me for the NCL so I could access their gyms to spread my legs a bit with more powerful tools. I READ SECURITY WHITEPAPERS FOR FUN NOW. I love trying to figure out how to best balance company workflow and security best practices.

I know at the end, that the three certs are not going to make me a SME, but at the very least I hope that this particular extra line on my resume can help get my foot in the door somewhere I can be mentored and develop my base. A salary that can actually pay my bills would be nice too.

Then I read articles like this, and wonder if I'm going to be sidelined again. I feel like at that point, my life is worthless.

[phaus]

You won't be sidelined. If you internalize most of the material from your SANS courses you'll probably be smarter than 2/3 of the people in this industry, if not more.

Most of the articles like this seem to come from people in the top 1-5%. Most of them are people that have started their own companies. I'm not a unicorn and most people aren't. I'm pretty confident that Tptacek and everyone else quoted are better security analysts than I am and possibly ever will be. However, I'm also confident that I'm pretty good at my job and I have the potential to get much better.

The important thing is to keep learning every single day.

[tptacek]

I have no idea if you are or aren't (be careful about your assumptions!). But I am certain that certification has nothing to do with the delta between the two of us.

[phaus]

I'm not crediting my entire base of knowledge with a certification course, but I did learn quite a bit at some of the courses I've taken. I've also learned quite a bit from books, articles, security conference talks, and of course, by spending a ton of time putting the things I read/watch into practice.

I guess my point is that I agree with you that no one needs certifications, but I didn't think the contents of the courses I took were completely worthless.

IMO, some subfields of security are better suited to structured learning than others. For example, forensics can be taught very well in the format of a certification course. However, from my experience, exploitation and reverse engineering are pretty hard to learn in the same format.

[tptacek]

I doubt the curricula of any certification is entirely worthless. You're saying you appreciate their value as a forcing function and as a set of guideposts for what to learn. I'm saying: there have to be cheaper ways of setting up forcing functions, and I know there are better guideposts on what to learn --- they're just not promoted as heavily as the certifications, because nobody (except hiring managers, who are too dumb to realize it) makes any money on them.

[phaus]

I agree completely. There are books that cover the same content in many cases, but not always. I've read quite a few of these books, sometimes they are actually better. I was fortunate enough to take all of my courses for free, but if I was paying $5k out of pocket each time I wouldn't recommend it. I think the norm is to have an employer pay for it.

[tptacek]

I know that's true and I find that especially alarming, because it gives those employers a tremendous amount of leverage as gatekeepers to the industry (by underwriting certifications for people they elect to employ and retain).

[unhinged_wanker]

This guy is flat-out wrong. He bags on the CISSP - thats a friggin management cert, not a technical cert. Like bitching the CEH doesn't go hard into Opex/Capex.

Meanwhile on planet earth "draw up an inter-agency security agreement compliant with all local jurisdictional laws and industry regs" is also infosec and command line kung-fu will do fuck all to help you get it done.

This guy just drinks "unicorn" piss - he didn't get "trained", he's just so darn smart and hardworking and special. I bet his business card says "lead ninja" or some other IT fuckboy bullshit.

[coverband]

Exactly... CISSP shows that you have an understanding of risk, numerous compliance requirements, and how much basic housekeeping activities like asset inventory management or having proper data classification/access controls help in maintaining security. The title of "Information Systems Security Professional" suggests that you're knowledgeable enough to speak intelligently in all of the ten domains, but your everyday job might be in a single relatively non-technical domain, like "Business Continuity and Disaster Recovery Planning".

I wouldn't expect anyone with a CISSP to be an expert in "tech ninja" stuff, but he should be able to assess whether overall security is better served by investing in the "ninja work" or, for example, additional phishing training for employees, at a given point in time. This is certainly not a deficiency in CISSP, and I don't think anyone with enough experience in the infosec industry would have such an expectation.

[tptacek]

I've been in the industry since 1995. I've worked for Fortune 500 companies. What's the experience I'm missing to appreciate the CISSP? Because from where I stand, it seems mostly like a scam to me.

[coverband]

Then by definition you don't have any expectations for "a CISSP to be an expert in 'tech ninja' stuff", as I was saying... ;-) I'll agree with you that, to an extent, all certifications are a scam, especially those with artificially high sit-down fees. My point is that, CISSP does not claim to be a gauge for whether you are a crypto expert, just that you should know the difference between basic types of encryption and when it makes sense to encrypt your company's data, so that an accountant in one of those Fortune 500 companies you mentioned doesn't make a costly mistake. In short, it's not about "how to trigger an RCE", but, if you're in an Ops role, about "how can I ensure my users are patched without delay, so that I can minimize the impact of an RCE". Does that make sense?

[tptacek]

Roles I've held:

* ISP network security engineering

* Network penetration tester

* Software developer for network security products

* Application security assessor

* (Most recently) Security team lead

I've had these roles for small companies and for very large ones.

What experience am I missing that would lead me to change my mind about the CISSP? I don't think attempting to pigeonhole me as a "crypto expert" is going to persuade me, because that's not the span of my professional experience.

[intern4tional]

That's an impressive resume of roles, but security is more than just those areas.

I think the grandparent is trying to say that the CISSP is largely for non-technical security roles. People that manage large security organizations are generally believed to be the ones that benefit from the CISSP as they are not interested in the details and more on a 1000 foot strategic view.

Without knowing more details about the your specific expertise, I would say you probably haven't been in a role that would benefit from the CISSP by just looking at your list. If you've been the CISO for a large company with 400+ people reporting to you doing IS work, having a CISSP should at least help you prioritize the work that needs to be done. Likewise for many companies that have non-technical management in security organizations, a CISSP helps provide some background for them.

[bitexploder]

Yeah, but let's be realistic. There are very few technologists who are passionate about computing that would really enjoy compliance roles. Infosec is a huge banner and I am going to assume most hackers here are on the technical side. Also no cert can possibly prepare you for negotiating corporate IT security policy.

But even for us (a high end infosec consulting firm) knowing how to relay findings and risk concepts to executives can mean the difference in our work getting implemented, transforming an organization from average to above average in terms of how they approach information security.

Anyway, don't be such a cynic, we just run out of air when we get to the upper reaches of technology expertise so it makes is dumb :P

[MichaelRenor]

Don't fret. The author is correct, but it's mostly true for the upper ladder of the skilled workforce. I would chuckle if I saw a senior engineer list certifications on their resume (apart from maybe advanced CCNA/NP/IE cert for a networking specific role).

At that point in your career your experience and knowledge will show for itself, and you won't be proving anything with paper.

Right now, however, it's vital you get your foot in the door. You don't have much experience yet, so a cert shows you're eager and at least not totally clueless. The jobs that care about your certs will probably not be very good, but it's a stepping stone if you're ambitious.

[cortesoft]

This is exactly true for all non-work related qualifications (schooling, degrees, certification, etc)... they matter when you are first getting into the industry, and for your first job or two.

Once you get established, no one looks at those things.

[kbart]

What's so special about CCNA? I've acquired it as a backup plan few years earlier, but never used it nor worked in networking. Pretty much anyone with basic knowledge in networking, few weeks of spare time and and few hundreds of $ could obtain it.

[MichaelRenor]

The CCNA has value for network engineering positions.

[temp246810]

No one-thing will make or break your resume aside from the obvious egregious mistakes that I won't go into here.

Get your certifications - they will certainly help. Just don't pin all your hopes and dreams on these certifications.

The will add to your resume as a whole - so that when someone is reviewing your resume they can put an extra check mark in the pros column (experience, check; skill set, check; oh hey he has certs too, nice. check;)

In my experience working in technology, most people aren't as vocal about certifications as you would think based on the chatter you see online. They are a nice to have, not a must have, to get started. Sometimes depending on your actual job, they become a job requirement and work will pay for them.

Also in my experience, the people really against certs are people who for some reason don't like the idea of other people "invading their turf". As if you getting a cert in their field somehow trivializes their experience or effort.

In other words, keep doing what you're doing. View your certifications as milestones along the way, not the be-all-end-all of what you will need in your career. Continue learning and getting valuable experience, and you should be alright.

Update: One last note: certs are like a lot of other things you will encounter in any type of education. You get out of it what you put in. If you work just enough to be able to pass the tests, well, that's what you will get out of it; a way to pass the tests. If on the other hand, you try hard to learn and understand the concepts, then, that's what you will get out of it and it will certainly add to your learning.

[jlewis7272]

I switched careers at age 30 also (into programming). A buddy told me something that has held out to be true. Think of your career like you would guiding a canoe down a river. Parts of the river will bend and get narrow and parts will be wider and easier to navigate. Try to stick to the parts that are wider and easier to navigate and you'll be just fine. It's ok to add another line to your resume to allow you to get your foot in the door. After that it's up to you. Build up your own experience and that will shine through every time.

[Sancty]

To be honest, I think your original gut feeling is correct. Keep doing what you're doing. Especially for small companies, the hiring process is about finding someone who can adapt and push themselves. Seeing that you experimented and pursued formal certification means that your teachable and ambitions.

[endorphone]

This article is talking from the perspective of getting hired by so-called "elite" security firms. That comprises a tiny percentage of the roles you might possibly seek in the future, and shouldn't taint your pursuit. Many employers who are trying to staff some sort of internal security competency will regard it very well -- there's a reason they appear in countless job listing -- as a sign of both focus and interest.

[bitexploder]

What, everyone doesn't aspire to become an elite hacker speaking at BlackHat?

Seriously, you are spot on. It takes years and dedication and no small amount of coincidence of interests and skills to reach the elite levels. It also takes a kind of persistence and thick skin to do the research and get the skills to get your first real high end job for most people. I tried replying to the OP about how to get to where our senior and principal consultants are and.. it turned into a somewhat muddy word bomb. At some level the advice was basically, "Yeah, just get really good at... everything, then infosec is easy"

There are so many paths and skillsets required and you can specialize in so many areas (operating systems, tools, crypto, memory corruption, etc...). How do you even begin to convey the depth and variety to someone at the start of their journey? Ultimately there are just a lot of common patterns of elite hackers, base skills you use all the time. Get those skills, and keep trying to hack stuff :)

[raesene6]

Sounds to me like you're doing the right kind of thing to break into the industry.

Whilst there are people that, unfortunately, take the attitude in the article, I think that there's a load of others that take a more balanced approach and recognise some of the value of certifications.

The other thing I'd recommend, if you're not already doing it, is get along to some of the chapter meetings and conferences that there are increasing numbers of in security.

In particular I'd recommend BSides conferences (http://www.securitybsides.com/w/page/12194156/FrontPage) there's loads of them around and they're good places to meet people in the industry and also in many cases the sponsors are looking to hire.

[tptacek]

Hey. Again with these false dichotomies. The choice isn't between "certificates" and "never letting newcomers into the industry". In fact, if I accomplished one single thing at Matasano, it's getting newcomers onto our team.

https://sockpuppet.org/blog/2015/03/06/the-hiring-post/

I kind of resent my opposition to certification --- which I see principally as a way of keeping newcomers out of the industry, by requiring them to get expensive certificates to enter it --- being cast as opposition to new talent. I think opponents of certification are far, far more welcoming than the supporters are.

[raesene6]

<sigh> it's not a false dichotomy. The comment I was replying to was specifically expressing disappointment that his efforts in getting certificate would be overlooked because of a negative attitude in the industry to those certifications. I was merely expressing encouragement that not everyone would look on those certification efforts negatively.

The article takes what I think to be an overly absolute position in suggesting that certifications are actually harmful to the industry.

I'm not suggesting that you are opposed to new talent, I've not said that anywhere.

What I've said is that I think that cerifications can be useful for newcomers in demonstrating effort/ability in a field.

I think that those certifications can be useful specifically in scaling entry to the industry (I'm not saying they need to be expensive, heck I'd love it if they were free, but someone has to pay for the effort required).

The problem with leaving individual companies to review every candidate from scratch is that it's a huge waste of effort. If you're starting a SOC and have to fill 50 spots and get 2000 CVs across your desk, you realistically are not going to be able to take an approach of manually interviewing every single candidate.

Now and I'm sure you know more than I , that doesn't apply to high-end security testing companies, but different types of roles require different approaches.

[tptacek]

No, that's not all you said. Your original comment is right there for everyone to read. You attempted to co-opt a position on an orthogonal debate --- whether the industry is adequately welcoming to new talent --- as part of your position on certification. Since I'm a strong opponent of certification and I'm reasonably confident I've done more than you have to bring talent into this field, I object, vehemently, to that kind of rhetoric.

I'd appreciate it if you'd take a second to retract.

[raesene6]

The original article it titled "Information Security Certifications are Worthless and Causing More Harm than Good"

yes?

The top comment expressed quite clearly discouragement that this attitude of negativity to certification would affect their job prospects.

Yes?

My comment line that I'm presuming you object to is

"Whilst there are people that, unfortunately, take the attitude in the article, I think that there's a load of others that take a more balanced approach and recognise some of the value of certifications."

Didn't mention you, wasn't intending to mention you, referred to the article which clearly takes the position that certifications are actively harmful to the industry, a position that I disagree with.

If you feel I've insulted you, I apologise for that, but I'm afraid I'm currently a bit unsure as to why you feel insulted.

[sputknick]

I think you are doing it right. I'm also a veteran, I had no idea about certifications until I got out. It's more of a balance than this article represents. Certifications mean something, but they aren't the end-all-be-all that they bill themselves as. The trick for you is to combine the attitude towards work you hopefully developed in the military with this foundational knowledge to demonstrate 1. you are not an idiot and 2. you can get crap done. When I left the military I was making ID badges (with a master's degree). Keep at it, it gets better.

[cookiecaper]

Just in general, if you want to stay desirable, you'll always need to be taking the market's pulse. Ask real employers which certifications they value. But since you have to be able to actually do something and not just bluff well to work in this industry, everything hinges on skill at the core.

Focus on developing the skills, not the paper, even if the paper is pre-requisite to get promoted. Credentials should always be second priority. If you have the skills, you'll be in demand as long as this class of problems exists. People hire people to do something. Do that thing they want. Don't put your trust in any type of credential.

That said, very few people will hold worthless certificates against you, and risk-averse corporations will want to hire someone as highly decorated as possible so that they're clean if there's a lawsuit related to operator error or negligence. If they're available at low mental and financial cost, they won't hurt.

Don't get discouraged. Work on developing the skillset and the rest will flow. Get the certs as needed or as they're available, but do not attach your own sense of worth, value, or success to them. Your skills are what will distinguish you no matter how respected or despised your credentials become.

[hourislate]

There is nothing wrong with getting a cert. SANS offers some great courses. It's a good way for folks to start and get introduced into the industry. There are different roles in security. Soft skills are an important part of that, learning how to manage the process is just as important as being a specialist in Pen testing or Forensics, etc.

Don't get discouraged.

[bitexploder]

Keep your head up. I am a partner at a so called "boutique" firm. If you want to be elite and do the hard things in information security the certifications themselves will not do /much/ for you by themselves. You have to never stop learning and growing. A lot of people in corporate IT that maybe bump into the edges of real assessment work think the certs qualify them and they stop learning and growing and learning how to break software.

It comes down to a very simple concept. Can you make the computer do what you want? Can you find the flaws in its state machine and hack the shit out of it? Yes? Come join an elite firm. No? Go into corporate IT security or keep learning until you can take the raw machine code and make it do what you want.

What does running a bunch of tools have to do with that? Most certs are very tool focused. Some /might/ have you do some stuff that is more interesting and CTF like, but so what. It is still meant for mass certification. If you only study to exploit a buffer overflow or inject SQL you are missing the point (though those are valuable skills).

You need to fundamentally understand. You need to be able to model complex software architectures and understand all the complexity of a modern software architecture and ecosystem quickly. Why quickly? Because it changes quickly. Because there is often so much diversity and complexity for a security practitioner at our level that you have to change architectures seamlessly and at a high (not expert), but very high, level of proficiency. That means you have to write code, play with a diverse amount of modern software and programming languages and constantly be thinking about everything from the security perspective. Learn threat modeling. Learn software. Learn the low level bits of computers and the high level bits.

What does this mean? It means if you know all the command line switches for all the tools on Kali you won't ever get anywhere. You need to write code. You need to understand operating systems like a systems engineer. You need to know what is going on with hardware. Will you use it all every assessment? No. But it will inform and guide your choices and you will have the framework required to understand almost all software and hardware you come across.

We have been working hard on our work sample assessment in our hiring process for the last 9+ months. We have seen folks with an elite level of memory corruption (e.g. guys who find and write exploits for the DoD) experience do very poorly on assessment and we have seen 2nd year college kids get right to the heart of the sample and own it. We see a LOT of people who want to transition into infosec or work at a more hardcore level come in and throw every command on Kali at our work sample. (Amusingly you have to think and assess things, you don't need anything fancier than a hex editor and a programming language or two with their standard library). Does that mean someone good at memory corruption is bad at information security? Maybe. It means their skills are too narrow to assess and secure the typical systems our customers hire us for and we work on, and we work on a lot of important stuff.

So let's be more concrete:

* Get really good at Python or Ruby (Python is what we prefer, but Ruby is okay). Write code every day. Golang is fun and good too.

* Work through all of cryptopals until it hurts, read every paper you can along the way

* Take a couersera course on cryptography Dan Boneh's older one is nice -- you really need to understand the crypto primitives in modern use and how to use them safely, you don't need to know how to implement a side channel resistant AES or ChaCha, but you need to know when someone is screwing up with AES in CBC mode (they almost always are if they are using a crypto primitive)

* Build or contribute to some open source security tools

* Get really good with mitmproxy and or Burp so much stuff now is HTTPS and or WebSockets

* Know your web app LHF

* Read and understand OAUTH (do this later)

* Learn every common authorization model in existence and how authentication and authorization are /actually/ implemented

* Work through Micro corruption CTF, you will understand better how a computer works if you get through /every/ challenge

* Learn threat modeling (Shostack has nice writing about it)

* Find software. Break and threat model software. Find more software.

* Follow and, more importantly, endeavor to understand the work of prominent peoples that talk about BlackHat every year or build software people use (Bernstein, matthew green, and the charlie miller's of the world, understand their methodology first, walk through how they do things more than their results, don't be distracted by results, but the skills and effort they employed to get the results).

That is the basics. Get good at this and you can break most modern software. Then you can specialize. Along the way of doing this you will come across tons of interesting stuff and find places you want to investigate. This is just off the top of my head. This is the really hard thing about being really good... it takes time. You can't just wake up and decide to do this at a high level. Programming takes time. Learning crypto takes time. Learning HTTP takes time. Learning software stacks and modern software architecture takes time. At the end of the day this path is daunting and, like a sieve, it filters out all but the best technologists. Now you can imagine why the author may have taken the sort of down his nose view he did of certifications, because this is an immense and challenging thing.

Step back a bit and assume becoming elite at this is a 5-8 year journey, what do you do in the mean time? Write code every day. Work on only a few things at a time to ensure you can go deep enough and understand it. Do your certs, they give you great exposure to the variety of tech, but never stop at the level a cert gets you to if you want to progress. Figure out what you are enjoying right now and focus on that. You can feasibly get more entry level pen testing and assessment roles in corp security on the backbone of a few certs, getting good at programming and automating things, and going deep on a topic area that really interests you... web app testing is a great starter, but never settle for banging out LHF (Low Hanging Fruit) findings all day, learn how to build web apps, too.

You can also go more of a risk management and policy route. This requires you to have a breadth of knowledge, be deeper with at least a few things, and understand corporate security, but I swear, if you love technology and enjoy deep thinking these roles will suck the life out of you. They are where deep thought often goes to die, drowned by corporate policy. Anyhow, it is getting late. Good luck. Find my company and contact us, we will set you up on our work sample and you can see what it is like.