[amerkhalid]

> just get the certs and tell people they need to tick X checkboxes.

Sadly, this is the most common variety of security experts. Some of the security experts I have dealt with only know how to run a few tools to generate a pdf and would not even be able to explain things that their reports shows.

Seems like it is a low bar to become security expert but true security experts should be able to get really high salaries.

[jpgvm]

Correct.

Vast majority of roles still pay well but are populated by essentially trained monkeys.

The roles that demand actual knowledge and skill are compensated appropriately but it probably does require joining a unicorn startup or FAANG to make the most of it. i.e Cloudflare, Google, Apple in particular.

[austincheney]

Have you taken the CISSP exam? Greater than 95% of the complaints I see on HN against certs generally and CISSP especially come from people who have never attempted them.

When I took it in 2010 it was 250 very large questions. You had 6 hours to complete the exam and it only had 60% pass rate despite a $700 fee and requiring an approved resume.

Also at all my major corporate employers there security teams. Almost never are those people red teams or blue teams. Almost all of them are policy people or operations people.

[jpgvm]

My complaint is against the people that hold them who then pretend to have an understanding of real security.

How many of those 250 questions are related to proper implementation of cryptography? How about side channel attacks? How about the relative effectiveness of mitigations like ASLR? How about SELinux? Seccomp/eBPF? I really doubt it.

I can bet you though that is has about 20 questions on SQL injection and input sanitization issues from the early 2000's. A big section on how firewalls are going to save you and that WAFs are the best things since sliced bread.

CISSP is a certificate for whiteboard warriors that 9 times out of 10 have zero practical experience and even less theoretical understanding of security.

It might help you land a job as a CISO a some random enterprise company but it's not going to help you successfully defend that company from any credible threat and it's -not- a credible certification for a proper security professional.

The only reason why it helps you land that job is they don't know what they are looking for and have zero ways to evaluate your potential effectiveness or measure your performance (unless you get pwned).

(There is some isolated cases of real professionals being forced to obtain such credentials for the sake of ticking boxes, they are excused)

[austincheney]

I worked in information security for 10 years before I became a developer, so I seen both sides of the fence. Most developers believe they know more about security than they really do qualified by their owned invented nonsense and then invent all kinds of fictitious bullshit to qualify those invented opinions.

> How many of those 250 questions are related to proper implementation of cryptography?

Many. Back when I took the test there were 10 knowledge domains, one of which was cryptography, and cryptography by far got the lions share of attention.

The rest of your comment falls apart into some bizarre nonsense to explain an argument from ignorance. https://www.logicallyfallacious.com/cgi-bin/uy/webpages.cgi?...

If you no actual experience on the subject why would make such spurious biased recommendations?

[jpgvm]

My point is thus. You can't legitimately argue that you can reasonably understand modern security without understanding modern exploitation techniques. Furthermore you also can't say that a certification that doesn't test for any of this knowledge would then be useful for filtering candidates that have said knowledge.

That is not an argument from ignorance, that is simple fact.

If you are hiring for "security" at an enterprise company where the role generally consists of vendor management then sure, CISSP is probably exactly what you need/want.

If the certification was worth something it would feature more prominently in requirements for companies with excelent security orgs. Notice it's completely absent from https://www.tesla.com/careers/search/job/security-engineer-f... and https://boards.greenhouse.io/cloudflare/jobs/1727694?gh_jid=... and https://jobs.apple.com/en-au/details/200293563/product-secur...

Instead note the prominence of proven vulns, low level language experience, etc.

Lesson is simple. If you want to be good (and paid a shit ton) disregard certs, acquire CVEs.

[austincheney]

This thread isn’t about kernel developers or experienced senior security scientists. It’s about a developer wanting to move into a security job. You have completely left reality to qualify some unrelated personal bias.

[lexdiamonds]

Hmmm....there are many many different aspects to security. Security Architects for example, dont necessarily need to understand the details of CVEs, but the general principles of defence in depth when architecting solutions. Similar to medicine or any other fields, there are sub areas that require specific experience. CISSP gives a good foundation for the security assurance type of roles. Those are security as well. I wouldnt focus only on CISSP if i was after a security engineer, a role that requires specific skills.