[dguido]

I had an oppressive computer teacher in high school and I liked to pull pranks. It started out with simple password guessing, then phishing, then trojaned USB autoruns, SAM hash dumping, and password cracking, then some wifi sniffing... I never thought of what I was doing as hacking at the time (2001-2002). I just wanted to use the computer lab to play video games, and show up my jerk of a teacher.

In my senior year of high school, I was handed a brochure for a scholarship program offered by an engineering school that paid your entire tuition if you studied cybersecurity. I didn't know much then, but I knew loans were a bad thing, so I went with it and attended that university. The final hook was a Capture the Flag (CTF) game hosted by the school. I had not pursued obtaining the scholarship until that point but playing in the CTF got me exposed to the other students and convinced me to go through it. You can read more about the NSF Scholarship for Service (SFS) program here: https://www.sfs.opm.gov/StudFAQ.aspx

I like to characterize myself as one of the first class of graduates with specialized degrees in cybersecurity (at least in the US). Anyone older than me is usually entirely self taught, anyone younger generally had exposure in an academic setting. I was about half and half. For reference, I am 32. I think the NSA Center of Academic Excellence program had a lot to do with that shift. Many US universities were first getting certified with new coursework to meet that standard through the mid to late 2000s, right as I was attending college. https://www.iad.gov/nietp/reports/current_cae_designated_ins...

FWIW I wrote a short career guide to help others trying to make sense of the field and how to get started. https://trailofbits.github.io/ctf/intro/careers.html

In fact, this year's Flare-On challenge just started today! It's an online game composed of 10-20 reverse engineering and forensics challenges that takes place over the next few weeks. There will be solution writeups after the challenge is over so you can learn how to solve whatever got you stuck. Give it a shot! Flare-On always gets great reviews for being fun to play, and online games (CTFs, wargames, etc) are a great way to get yourself started and add something to your resume. https://2017.flare-on.com/

I am now the CEO and co-founder of Trail of Bits, a high-end software security research firm. I will probably never quit the field. You can read more about what we do here: https://www.trailofbits.com AMAA?

[ktta]

I feel like it is difficult to get hired right out of college into a pentesting/netsec role without a bunch of certs and CTFs (which you do mention in your career guide). Even then it just looks like just another qualifying tick in the checklist. Right now I'm thinking a dev job for a couple years, then move into security (which looks like what some recommend). What do you suggest one can do to show that they have the chops to take up the a good role short of getting a couple high profile CVEs? Write a blog? Write PoCs for past CVEs?

What will get the attention of someone who hires (like you) to think that they will be a good fit?

[dguido]

Easy! Develop software. Don't limit yourself to scripts and small utilities. Work on something substantial, preferably low-level and closely related to the operating system or hardware. If you play CTF, show me the tooling you wrote to prepare, and the process you use to review your past performance and plan your next game. Our biggest ask during our hiring process is a code sample of some kind. If you're talking about finding bugs, show me that you didn't just get lucky, that you know how to make the process reliably produce a known outcome.

Sidenote, I think the dev job for ~2 years out of college then moving to security is a smart move. You're 100x more effective as a security engineer if you have a strong background in development. I'll say that we definitely prefer to hire software developers and teach them security.

[ktta]

Thanks! This is great advice.

[dfc]

What year did you graduate? I went to grad school through the SFS program and graduated in 04. I remember hearing mudge talk and I thought it had been around for a little while before I graduated.

[dguido]

I graduated in 2008. I feel like SFS really caught its stride in the second half of the 2000s. I remember when NSA started making different levels to the CAE certification (Education -> Research -> Operations), and that created a rush to build out lots of new coursework and pulled many new universities into the bottom tier, and SFS along with it. I don't have data to show, but I feel like both SFS and universities with CAE were more rare or exclusive earlier than that.

[agumonkey]

reminds me that my first programming project was an msdos resident fake virus in assembly

[dguido]

I love it when cool teachers sneak projects like these into their classwork. I had a computer architecture class that had labs to write exploits in MIPS assembly. I'd say 19 out of 20 people didn't even know they were exploits while we were writing them. :>

[agumonkey]

slight precision, it wasn't a school project, just me and a buddy that wanted to use computers and mess with a paranoid teacher with a harmless scary message.