[jpgvm]

Unless you want to recant to people the OWASP top 10 and generally be useless don't listen to anyone telling you that certs (especially CISSP) are useful for breaking into (hah) the security field.

Generally security has 2 major schools, offensive (red team) and defensive (blue team). To be good at the latter you first need to understand the former. This means what you should instead be doing is learning the basics of exploitation. OSCP that was mentioned here is excellent but it's also not easy to complete right out of the box, you will want to start with easier stuff and work your way up to it.

One thing worth noting though is that it can be hard to transition from a build to break mindset. Which might mean even after you learn some decent exploitation techniques, binary analysis etc, that you might be better off batting for the blue team. Blue team mostly revolves our mitigations and defense in depth, which is why it's crucial you know red team to start... you can't put walls in right place if you don't know where the enemy is coming from.

Of course this really depends on if you want to be a real security expert and be damn good at what you do or if you just want to get paid for being in "security". If the latter you can ignore everything I said and just get the certs and tell people they need to tick X checkboxes.

[amerkhalid]

> just get the certs and tell people they need to tick X checkboxes.

Sadly, this is the most common variety of security experts. Some of the security experts I have dealt with only know how to run a few tools to generate a pdf and would not even be able to explain things that their reports shows.

Seems like it is a low bar to become security expert but true security experts should be able to get really high salaries.

[jpgvm]

Correct.

Vast majority of roles still pay well but are populated by essentially trained monkeys.

The roles that demand actual knowledge and skill are compensated appropriately but it probably does require joining a unicorn startup or FAANG to make the most of it. i.e Cloudflare, Google, Apple in particular.

[austincheney]

Have you taken the CISSP exam? Greater than 95% of the complaints I see on HN against certs generally and CISSP especially come from people who have never attempted them.

When I took it in 2010 it was 250 very large questions. You had 6 hours to complete the exam and it only had 60% pass rate despite a $700 fee and requiring an approved resume.

Also at all my major corporate employers there security teams. Almost never are those people red teams or blue teams. Almost all of them are policy people or operations people.

[jpgvm]

My complaint is against the people that hold them who then pretend to have an understanding of real security.

How many of those 250 questions are related to proper implementation of cryptography? How about side channel attacks? How about the relative effectiveness of mitigations like ASLR? How about SELinux? Seccomp/eBPF? I really doubt it.

I can bet you though that is has about 20 questions on SQL injection and input sanitization issues from the early 2000's. A big section on how firewalls are going to save you and that WAFs are the best things since sliced bread.

CISSP is a certificate for whiteboard warriors that 9 times out of 10 have zero practical experience and even less theoretical understanding of security.

It might help you land a job as a CISO a some random enterprise company but it's not going to help you successfully defend that company from any credible threat and it's -not- a credible certification for a proper security professional.

The only reason why it helps you land that job is they don't know what they are looking for and have zero ways to evaluate your potential effectiveness or measure your performance (unless you get pwned).

(There is some isolated cases of real professionals being forced to obtain such credentials for the sake of ticking boxes, they are excused)

[austincheney]

I worked in information security for 10 years before I became a developer, so I seen both sides of the fence. Most developers believe they know more about security than they really do qualified by their owned invented nonsense and then invent all kinds of fictitious bullshit to qualify those invented opinions.

> How many of those 250 questions are related to proper implementation of cryptography?

Many. Back when I took the test there were 10 knowledge domains, one of which was cryptography, and cryptography by far got the lions share of attention.

The rest of your comment falls apart into some bizarre nonsense to explain an argument from ignorance. https://www.logicallyfallacious.com/cgi-bin/uy/webpages.cgi?...

If you no actual experience on the subject why would make such spurious biased recommendations?

[jpgvm]

My point is thus. You can't legitimately argue that you can reasonably understand modern security without understanding modern exploitation techniques. Furthermore you also can't say that a certification that doesn't test for any of this knowledge would then be useful for filtering candidates that have said knowledge.

That is not an argument from ignorance, that is simple fact.

If you are hiring for "security" at an enterprise company where the role generally consists of vendor management then sure, CISSP is probably exactly what you need/want.

If the certification was worth something it would feature more prominently in requirements for companies with excelent security orgs. Notice it's completely absent from https://www.tesla.com/careers/search/job/security-engineer-f... and https://boards.greenhouse.io/cloudflare/jobs/1727694?gh_jid=... and https://jobs.apple.com/en-au/details/200293563/product-secur...

Instead note the prominence of proven vulns, low level language experience, etc.

Lesson is simple. If you want to be good (and paid a shit ton) disregard certs, acquire CVEs.

[MattPalmer1086]

I've heard good things about OSCP, although I haven't done it myself.