| Keep your head up. I am a partner at a so called "boutique" firm. If you want to be elite and do the hard things in information security the certifications themselves will not do /much/ for you by themselves. You have to never stop learning and growing. A lot of people in corporate IT that maybe bump into the edges of real assessment work think the certs qualify them and they stop learning and growing and learning how to break software. It comes down to a very simple concept. Can you make the computer do what you want? Can you find the flaws in its state machine and hack the shit out of it? Yes? Come join an elite firm. No? Go into corporate IT security or keep learning until you can take the raw machine code and make it do what you want. What does running a bunch of tools have to do with that? Most certs are very tool focused. Some /might/ have you do some stuff that is more interesting and CTF like, but so what. It is still meant for mass certification. If you only study to exploit a buffer overflow or inject SQL you are missing the point (though those are valuable skills). You need to fundamentally understand. You need to be able to model complex software architectures and understand all the complexity of a modern software architecture and ecosystem quickly. Why quickly? Because it changes quickly. Because there is often so much diversity and complexity for a security practitioner at our level that you have to change architectures seamlessly and at a high (not expert), but very high, level of proficiency. That means you have to write code, play with a diverse amount of modern software and programming languages and constantly be thinking about everything from the security perspective. Learn threat modeling. Learn software. Learn the low level bits of computers and the high level bits. What does this mean? It means if you know all the command line switches for all the tools on Kali you won't ever get anywhere. You need to write code. You need to understand operating systems like a systems engineer. You need to know what is going on with hardware. Will you use it all every assessment? No. But it will inform and guide your choices and you will have the framework required to understand almost all software and hardware you come across. We have been working hard on our work sample assessment in our hiring process for the last 9+ months. We have seen folks with an elite level of memory corruption (e.g. guys who find and write exploits for the DoD) experience do very poorly on assessment and we have seen 2nd year college kids get right to the heart of the sample and own it. We see a LOT of people who want to transition into infosec or work at a more hardcore level come in and throw every command on Kali at our work sample. (Amusingly you have to think and assess things, you don't need anything fancier than a hex editor and a programming language or two with their standard library). Does that mean someone good at memory corruption is bad at information security? Maybe. It means their skills are too narrow to assess and secure the typical systems our customers hire us for and we work on, and we work on a lot of important stuff. So let's be more concrete: * Get really good at Python or Ruby (Python is what we prefer, but Ruby is okay). Write code every day. Golang is fun and good too. * Work through all of cryptopals until it hurts, read every paper you can along the way * Take a couersera course on cryptography Dan Boneh's older one is nice -- you really need to understand the crypto primitives in modern use and how to use them safely, you don't need to know how to implement a side channel resistant AES or ChaCha, but you need to know when someone is screwing up with AES in CBC mode (they almost always are if they are using a crypto primitive) * Build or contribute to some open source security tools * Get really good with mitmproxy and or Burp so much stuff now is HTTPS and or WebSockets * Know your web app LHF * Read and understand OAUTH (do this later) * Learn every common authorization model in existence and how authentication and authorization are /actually/ implemented * Work through Micro corruption CTF, you will understand better how a computer works if you get through /every/ challenge * Learn threat modeling (Shostack has nice writing about it) * Find software. Break and threat model software. Find more software. * Follow and, more importantly, endeavor to understand the work of prominent peoples that talk about BlackHat every year or build software people use (Bernstein, matthew green, and the charlie miller's of the world, understand their methodology first, walk through how they do things more than their results, don't be distracted by results, but the skills and effort they employed to get the results). That is the basics. Get good at this and you can break most modern software. Then you can specialize. Along the way of doing this you will come across tons of interesting stuff and find places you want to investigate. This is just off the top of my head. This is the really hard thing about being really good... it takes time. You can't just wake up and decide to do this at a high level. Programming takes time. Learning crypto takes time. Learning HTTP takes time. Learning software stacks and modern software architecture takes time. At the end of the day this path is daunting and, like a sieve, it filters out all but the best technologists. Now you can imagine why the author may have taken the sort of down his nose view he did of certifications, because this is an immense and challenging thing. Step back a bit and assume becoming elite at this is a 5-8 year journey, what do you do in the mean time? Write code every day. Work on only a few things at a time to ensure you can go deep enough and understand it. Do your certs, they give you great exposure to the variety of tech, but never stop at the level a cert gets you to if you want to progress. Figure out what you are enjoying right now and focus on that. You can feasibly get more entry level pen testing and assessment roles in corp security on the backbone of a few certs, getting good at programming and automating things, and going deep on a topic area that really interests you... web app testing is a great starter, but never settle for banging out LHF (Low Hanging Fruit) findings all day, learn how to build web apps, too. You can also go more of a risk management and policy route. This requires you to have a breadth of knowledge, be deeper with at least a few things, and understand corporate security, but I swear, if you love technology and enjoy deep thinking these roles will suck the life out of you. They are where deep thought often goes to die, drowned by corporate policy. Anyhow, it is getting late. Good luck. Find my company and contact us, we will set you up on our work sample and you can see what it is like. |