[runjake]

Allow me to disagree with tptacek a little:

The OffSec Penetration Testing with Kali Linux (OSCP certification) is excellent and outstanding and cheap.

https://www.offensive-security.com/information-security-trai...

While the course itself is $800, you'll most assuredly need another 60 days of lab time for the certification. I think all-in-all it cost me $1,500 for everything.

The course material is excellent and wide-ranging and very hands-on. If you have a family, it's a serious investment of time. It put a serious dent into my night time hours for a couple months.

The OCSP certification is widely-respected and not just a "paper certification" like some of the others (c|eh). Lots of practical skills. Great stuff.

[arkadiyt]

I'm just one data point but I'm a hiring security manager and if someone had OCSP it would mean nothing to me.

[debatem1]

Same. To some extent the presence of certs is a lacks-clue indicator to me. That's not fatal (lots of great hires really understand security but know nothing about the industry) but it starts my evaluation of you off at 'greenhorn'.

[temperfidelis2x]

You are probably looking for advanced people (or you might just be a shitty recruiter...). As a second data point I can tell that having OSCP can help you significantly in the beginning of your career (and for a reason, most entry-level certs are just complete bs and it's nice to have something to show off when you are lacking actual experience).

[wglb]

Second this point. One hire that I had a voice in getting hired showed up with no current job, no security experience, but had written a compiler at home, just for fun. Has what most folks would consider a spectacular career since then.

[tptacek]

~Same. I expect in the most charitable case it means about as much to infosec hiring managers as bootcamps do to developer hiring managers.

[PeterisP]

What are you looking for in that case? I mean, in the absence of previous experience doing the same thing.

The way I look at it, people come into technical security either from operations or development backgrounds, but it's hard to distinguish someone who has the required skills from their years in dev or ops from those who have managed to do their core work so without going into the relevant details; their CVs are going to look pretty much the same.

A hobbyist might have practiced on some CTFs or vulnerable machine challenges, but unless they haven't e.g. won some bug bounties or gotten some CVE disclosures, then that won't be really visible on a job application. If certifications aren't considered relevant by security hiring managers, what is?

[souprock]

Things that would count:

You wrote a compiler, kernel, emulator, firmware, or boot loader.

You wrote a small demo, such as 4096-byte or 512-byte. Like this: https://en.wikipedia.org/wiki/Demoscene

You have hand-optimized code via assembly language.

You have debugged software with a JTAG device or a digital logic analyser.

[pvg]

Why would those things count more or less than other things? It seems more like a list of things you think are neat but trying to guess what a resume-reader might think is neat seems like a game with very poor returns.

[souprock]

Well, those things fit the job I posted: https://news.ycombinator.com/item?id=18358038

The common feature is low-level experience. Somebody should be comfortable with assembly and related things.

It's true that not all security jobs are the same of course, so there will be plenty of places wanting other stuff, but I don't know about those.

[tptacek]

We hire resume-blind, based on work-sample challenges.

https://latacora.com/careers/

[runjake]

... why nothing to you?