[tptacek]

You'll do fine.

Don't waste time with certificates. They mean fuck all in the industry. Any job that cares about them is a job you don't want.

Try to get some clarity about what part of security you want to work in. All the subfields are open to you. Do you want to do operations work? Do you want to exercise your software development muscles? Do you want to work offense or defense? My advice might be different depending on the answers to those questions, but no matter what you want to do, you should be fine.

[jypepin]

Do you have any resources / direction to give to a software engineer who'd want to learn more about security?

As a full stack web engineer I feel like I know nothing about security (just like most people) and I'd love to have more knowledge about it, even maybe work on this.

I have a small design and engineering studio, and might be interested in getting into that kind of services, if I discover that I get interested in this enough.

[haasted]

One option is to go through the security stackexchange and/or the cryptography one. Pick a tag, sort by votes and go through the questions and responses.

https://security.stackexchange.com/

https://crypto.stackexchange.com/

[tptacek]

Start here:

https://trailofbits.github.io/ctf/

[hanley]

Look for a local group such as Security BSides - go to the meetups, get to know other professionals, learn from them, and get involved with their events.

[hazmazlaz]

Certifications are a way to bypass HR filters, and allow you to negotiate higher salaries. I agree that in terms of imparting actual skills and knowledge they are of minimal value. Being mentored by your peers, being involved in the community, and learning by doing are by far the best ways to learn Security. Certificates are relatively easy to earn and have high ROI in terms of salary and negotiating power in my experience.

[tptacek]

This is what everyone who voluntarily paid for a certificate tells themselves. As a hiring manager (for ~10 years now) in software security who talks to a lot of other hiring managers, I am pretty confident that the supposed ROI for certification is not there. Also: if you're dealing directly with HR filters when trying to get a job somewhere, you're already playing to lose. A much higher ROI would be gained by learning how to seriously pursue a targeted role.

[hazmazlaz]

Thank you for sharing your experience. I think there is a lot of truth in what you said. It is probably very situation dependent - in my case getting that first cert and paying out of pocket is how I broke in from IT Ops and got my first security consulting gig. The resulting pay bump paid for the cost of the cert in 6 months. For all certs thereafter I've had my employers pay for it as part of a benefits package. Obviously this is only a single data point, but many of my colleagues have similar stories so I feel like it can't be completely unique to me. YMMV.

[gaius]

The value of a (good) certification is that Rumsfeld’s Law applies: you don’t know what you don’t know. Even if you never finish the programme you will at least pick up an idea of what you need to learn, the common vocabulary etc.

[tptacek]

If you want to pay for a forcing function, that's fine, but be clear with yourself that that's all you're really paying for.

Certainly I would push back hard on the idea that a certification of any sort is something you need to obtain a first job in the field.

[bane]

I generally agree with you on your points, but I'll share an anecdote.

I once had a friend ask me about getting a certificate in an unrelated field from one of those ultra for-profit schools they advertise during the day on TV. I told her it was basically worthless and that places that cared about that cert and those schools probably weren't worth working at.

Long story short, she went ahead and got the cert from the money mill, got a job at a place that cared about it, and despite my personal distaste for it all, she ended up loving the job and is very happy there a decade later. So...YMMV.

So I think it's hard to categorically say the OP will hate those places when in fact they might find them perfectly suitable. Some people just really like the kind of work those places do and are perfectly happy having a handful of 3-5 letter certification acronyms after their name on their business card.

As the question of whether they're worth the paper they're printed on and if those companies that care about those things are worth the air that comes out of their central heating, I have to say I personally agree with you. They probably aren't helping humanity or the security field any and I keep far far away myself.

But to your other point, the security field is tremendously huge and honestly a lot of it is paperwork pushing certification, compliance and accreditation stuff.

[127001brewer]

How would you practice this craft? Is practicing on pentesting websites (like https://www.hackthebox.eu/) a good idea?

Or is there a better way to learn the various tools?

Edit: I have also completed some of the challenges on http://cryptopals.com/ a while back to get better with developing Python code.

[tptacek]

Start here:

https://trailofbits.github.io/ctf/

Cryptopals is great! :) If you've gotten all the way through set 6 and are interested in a first software security gig, get in touch. Those challenges have been a pretty excellent predictor for us.

[screaminghawk]

Does this still ring true for someone with no experience in the industry?

I figure a certification is an effective "proof of expertise" when there's no employment history to back you up.

[trash_panda]

I think what he means with certifications is that they'll get you the jobs you don't really want.

For example, CEH (Certified Ethical Hacker) is a certification you'll see in a lot of job postings. The thing is, if you know this field, you know that this certification is worthless; it's just an expensive piece of paper. So, if you get a job that requires you to be CEH, it's telling a lot about the company itself, you don't want to work there.

Same goes for the other certs, CISSP is OK but it doesn't really prove you can actually do useful work, and the jobs that require them are not the most interesting ones. The other popular one is OSCP, which I think is quite OK. It shows a minimal level of competence.

But I tend to agree with the feeling that certification in this field do more harm than good. What we need is more professionalism and good engineering.

EDIT: To clarify my point on OSCP, it is good in the sense that they force you to do hands on work. But, it is very narrow and most of what you learn are "tricks". An OSCP holder is proven to know what a pentest it, how to go about with it, and has a lot of sometimes useful tricks under his belt. It will not tell you whether someone really knows how applications and systems works.

[jki275]

Agree on the other certs -- but have you actually looked at the requirements for OSCP?

I think it's a bit more in depth than you believe.

[alltakendamned]

OP is right. OSCP is an entry level certificate in pentesting. That doesn't mean it's easy to get, and the people that have it will certainly have put in the time.

Security skills are just not something you tend to pick up in 4 hours flat.

source: have both OSCP and OSCE, and I work in the industry

[tptacek]

OSCP covers a significant part of my actual subfield in security, and I think it's pretty silly.

[jki275]

Well that's no good, I'd been told by others in the field it was a good cert. Guess I won't waste my time with it.

[LinuxBender]

I second this. I moved from systems engineering to the security field without issue. Security organizations now more than ever need a full spectrum of developers, system engineers/sysadmins and operations folks. You likely already have all the skills you need to find a decent position somewhere. Your existing skills should translate quite well.

[devsecguy]

Sorry but this "fuck certs" mentality just does not hold true for the security industry. It might be true in software but not here. The security industry is much more regulated than software, and with good reason - how is a company looking to hire penetration testers or blue-teamers supposed to tell between somebody who is doing they're job and somebody who isn't? If a security professional does they're job properly then you won't notice anything at all.

Yes certs are not everything, but they are proof to an extent of ones ability. Some certs like the CEH are worthless but others like the OSCP or CRT (in the uk) are definitely not worthless.

The whole "fuck certs I dont need a piece of paper to show I can do something" is somewhat juvenile and really only applies to the software industry. Most other industries have some form of regulation.

[tptacek]

I've been in the security industry since 1997. The last 13 years of that were spent building consulting teams --- amusingly, the first of which was one of the largest app pentesting firms in the country, and the current one is focused on "blue-teamers", as you put it. I have no idea what "regulations" you're referring to, and am certain that certifications --- very much including OSCP --- mean fuck-all in the real world.

[devsecguy]

In the UK at least there has been a strong drive to regulate security companies through organisations like CREST and CHECK. The problem is that its an industry with a massive amount of hidden information. If somebody does a pen test on an corporate network and says "we didn't find any vulnerabilities" how does a company know if they have actually done a thorough check or if the network is genuinely secure?

Yes in an ideal world we wouldn't need certifications or exams or anything but this isn't an ideal world.

[tptacek]

I don't know what part of "there are no certificates required to do this kind of work" I'm failing to communicate. My last company was acquired by NCC Group, a UK public company, and I haven't met anyone from the UK side who was certified either.

[devsecguy]

I never once said that certifications are required to do this work though did I?

[wglb]

I strongly disagree. What matters in the security field is the ability to program, a desire to learn, and an deep interest in security itself.

[devsecguy]

Absolutely those are all important qualities but the idea that certs are completely worthless just doesn't hold any weight.

Can I ask if you apply the same logic to the lawyers? Do you think the bar exam is pointless? What about chartered accountants? Or Engineers? Should pilots have to pass a test? What about drivers license tests? Are they just worthless pieces of paper too?

[wglb]

The practice of law is an older field. When I hire a lawyer, I presume that they have sat for the bar, but my inquiry goes much deeper. If I need a contract reviewed, I try to ascertain if candidate lawyers have experience reviewing contracts, and look for recommendations for that service. If someone were to sue me, I would look for a lawyer who is experienced at litigation. In this case, a lawyers certification, which is the bar exam, is a known test for the knowledge of law, which is done after serious study.

Certifications such as the CISSP don't tell me as a hiring manager anything about a candidate's skill in the required areas. As a buyer of security services, a shop with CISSP services often has a negative correlation with quality of an application penetration test.