[devsecguy]

Sorry but this "fuck certs" mentality just does not hold true for the security industry. It might be true in software but not here. The security industry is much more regulated than software, and with good reason - how is a company looking to hire penetration testers or blue-teamers supposed to tell between somebody who is doing they're job and somebody who isn't? If a security professional does they're job properly then you won't notice anything at all.

Yes certs are not everything, but they are proof to an extent of ones ability. Some certs like the CEH are worthless but others like the OSCP or CRT (in the uk) are definitely not worthless.

The whole "fuck certs I dont need a piece of paper to show I can do something" is somewhat juvenile and really only applies to the software industry. Most other industries have some form of regulation.

[tptacek]

I've been in the security industry since 1997. The last 13 years of that were spent building consulting teams --- amusingly, the first of which was one of the largest app pentesting firms in the country, and the current one is focused on "blue-teamers", as you put it. I have no idea what "regulations" you're referring to, and am certain that certifications --- very much including OSCP --- mean fuck-all in the real world.

[devsecguy]

In the UK at least there has been a strong drive to regulate security companies through organisations like CREST and CHECK. The problem is that its an industry with a massive amount of hidden information. If somebody does a pen test on an corporate network and says "we didn't find any vulnerabilities" how does a company know if they have actually done a thorough check or if the network is genuinely secure?

Yes in an ideal world we wouldn't need certifications or exams or anything but this isn't an ideal world.

[tptacek]

I don't know what part of "there are no certificates required to do this kind of work" I'm failing to communicate. My last company was acquired by NCC Group, a UK public company, and I haven't met anyone from the UK side who was certified either.

[devsecguy]

I never once said that certifications are required to do this work though did I?

[wglb]

I strongly disagree. What matters in the security field is the ability to program, a desire to learn, and an deep interest in security itself.

[devsecguy]

Absolutely those are all important qualities but the idea that certs are completely worthless just doesn't hold any weight.

Can I ask if you apply the same logic to the lawyers? Do you think the bar exam is pointless? What about chartered accountants? Or Engineers? Should pilots have to pass a test? What about drivers license tests? Are they just worthless pieces of paper too?

[wglb]

The practice of law is an older field. When I hire a lawyer, I presume that they have sat for the bar, but my inquiry goes much deeper. If I need a contract reviewed, I try to ascertain if candidate lawyers have experience reviewing contracts, and look for recommendations for that service. If someone were to sue me, I would look for a lawyer who is experienced at litigation. In this case, a lawyers certification, which is the bar exam, is a known test for the knowledge of law, which is done after serious study.

Certifications such as the CISSP don't tell me as a hiring manager anything about a candidate's skill in the required areas. As a buyer of security services, a shop with CISSP services often has a negative correlation with quality of an application penetration test.