[z1g1]

I would be interested to see what the HN crowd's opinion on certifications are. Mr. Schneier mentions them in his post but they seem to be a sticking point in the community as a whole. I have been on the hunt for ~2-3 months now without luck so far. I am currently working on my CISSP though I don't have the experience to qualify (CISSP requires 5+ I only have 2+) for it so even if I pass I can only qualify for the associate level.

I'm not sure if the CISSP is the way to go but I want to feel as if I am moving forward on a career search so I don't get stuck in a rut.

[rdl]

IMO, he's seriously wrong about certifications. (and not really on the right track with this article in general; a good background in making stuff is key to knowing the tradeoffs in securing stuff...)

Maybe the perfect cert would be a useful tool for some purposes (corporate hiring, huge projects with consultants doing low-level IT, etc.), but those are crappy jobs (and not really "expert" in any way).

More importantly, the extant certifications are all crap. CISSP in particular. Get it if an employer requires it, but it's independent of your actual knowledge and learning process.

[tptacek]

You will never, ever get the time you waste at a bad employer back. Employers that require CISSPs are far more likely to be wasting your time than not. The most important life lesson I've learned over the previous 10 years: be jealously protective of your time.

[rdl]

If you're in the military, you're basically required to get it, and it's not much more of a waste of your time than other things you could be doing there...

I personally got it just so that no one else in my company would ever need to do so; there are stupid companies which won't buy a product without integration, and where they have artificial requirements for integrators being certified. Given that it is only 1% of useless pain to enable 99% useful rewarding stuff, I found the sacrifice worthwhile.

[tptacek]

This comment is a great example of why I'm training myself to be less factional and defensive about people who hold the certificate. The military thing hadn't ever occurred to me.

But to be clear: I believe pretty firmly that for technical / software security, the CISSP is useless.

[rdl]

CCIE Security is probably useful, although that's more CCIE + Security than some abstract security cert, too, and specifically for network security, and specifically the kind of network you get in a corporate environment, not a startup/saas.

I'm not sure how I feel about SANS/GIAC. Absurdly expensive IMO, but potentially actually has some value for sysadmins doing system security. I can't think of what CISSP is actually good for, except maybe trivial pursuit - crappy consultant edition.

[suresk]

Somewhat related - about 2 years ago, my employer had a bunch of us go through the SANS/GIAC GSSP training & certification. Some of the material was pretty boring and of questionable utility, but we had a good instructor and some of the hands-on parts where we were finding vulnerabilities was actually really fun.

I'm under no illusions about the certification's marketplace value and I doubt I would have ever paid for the course/cert on my own, but it felt like one of the better formal trainings I've been through in my professional career (which, granted, isn't saying a whole lot by itself).

Also, the certificate comes mounted on a comically oversized plaque, which provides some entertainment value.

[tptacek]

Strong agree with 'rdl, I recommend avoiding the CISSP altogether. Having a CISSP isn't going to hurt you, except to the extent that it will enable you to get jobs at places you shouldn't be wasting your time with.

[tjr]

What about the CompTIA Security+?

Once upon a time I was a contractor at an insurance company, and I saw that most of the people in their IT department had various certifications hanging on their cubicle walls. I thought, "I want one of those."

So I selected the Security+ certificate, inhaled about two-thirds of a book covering the material, passed the test, framed the certificate and put it on my office wall.

That's about it. It was fun.

[rdl]

Security+ is the "easiest" of the big certs (I did CISSP with about 10 hours of prep, and probably didn't even need that, but I had been working in the field for 15y, read the Rainbow Books when I was 11, and enjoy security trivia for its own sake rather than for application only; it normally takes about 5x more time to prep for than Security+ vs. CISSP).

Security+ seems a bit more focused, and obviously vastly less comprehensive (Part of CISSP is some fairly esoteric and never-used theoretical models). In practice I'd say it's on par with CISSP.

https://www.isc2.org/dodmandate/default.aspx DoD considers Security+ to be level I or level II, CISSP to be ok up to level III, although prefers CISM or CISA for certain roles over CISSP.

[tallanvor]

Most certifications are pretty meaningless, except to suggest to managers that you probably at least know some basic information about the topic covered. If you're out of work, getting some certifications certainly wouldn't hurt, but if you're not worried about trying to find a job, you generally don't need to worry about certifications.

That said, there are a few certifications that are very hard to fake your way through. --I wouldn't put much stock in a CCNA or CCNP, for example, but someone who has CCIE most likely does know quite a bit about the area covered by the CCIE exam. Likewise, the Microsoft Certified Master program, which not only requires exams, but a certain number of years of experience (varies by product) in the product you want MCM status for, shows that you've been working with the product long enough that you probably actually know something about it (whether or not it really makes you an expert...) But these certifications don't really say much about your software development skills, which is what the Hacker News audience is probably more interested in.

[rlander]

As someone who used to be CISSP certified (way back in 2003), here's my advice: don't bother. The only reason I got it in the first place was because, honestly, I had more free time than actual experience. Otherwise it's a great way to bullshit your way into a job you're unqualified for in a shitty company.

Focus your efforts on actual learning, instead of proving through a worthless piece of paper.

edit: Just to drive the point home: 9 years later I still don't know shit about security.

[rdl]

If you're going to waste your time on a stupid cert, waste it on a vendor cert around your main technology.

I'd trust a RHSE to know redhat security for redhat deployments more than I'd trust a CISSP, mainly because I put close to negative value on the CISSP, and a lot of infrastructure security is actually following best practices, not anything too specific to security.

For networking, Cisco (assuming a Cisco shop).

For virtualization, I've heard the VMware stuff is good if you're enterprise doing VMware. I wonder if there's value in the Amazon AWS courses for AWS deployments; I'd almost take one just to see what they're like.