top | item 13224970

(no title)

I do not find this to be entirely accurate. I work as a penetration tester/run the offensive security practice at a small security firm, and I used to spend a fair amount of time performing malware forensics (and taught it a bit at a local University for graduating students who were interested in a two day crash course... free of course), and I can say with fair amount of certainty that the industry does recognize and sometimes require certificates. I am not saying a certificate will get you the job, or even that they are a good way to spend your time, but they can certainly get you an interview. For instance, I run a team of about 6 penetration testers, and my time is pretty limited because we always have so much on the go. When I am hiring, I usually ask that someone have the OSCP, OSCE, or GXPN if they are going to apply. In the case of the OSCP and OSCE, they are not cost prohibitive, even for someone covering the costs themselves, and they test one's ability to perform actual penetration testing and report writing. You have a certain amount of time (24 hours OSCP and 48 hours OSCE) to hack into some servers and show your technical chops, and then report on what you did and how you did it. In the case of the OSCE, I will know if you passed that you understand disassemblers, debuggers, exploit code writing, and assembly. That gets you in for the interview, and I can further check out your programming skills, security chops etc. I am not saying that if someone has a particularly interesting resume, I won't look at them. But when time is limited, and you aren't a fortune 500, its a good way to filter out some of the candidates. I will say that certs like the CEH and CISSP don't matter in the slightest bit to me. I could care less about how you do on a multiple choice exam, the only exception being the GXPN because that course is actually relatively grueling.

discuss

tptacek|9 years ago

What firm do you work for? Prior to my career as a professional Internet message board commenter, I cofounded Matasano, ran recruiting for Matasano, and then, after they acquired us, ran recruiting for NCC Group --- which is I believe the largest pentest firm in the US. I've got friends at most of the other big firms, and this is a topic of conversation that comes up a lot.

I'm pretty confident in my answer here.

If you want to know whether someone understands disassemblers, debuggers, exploit code writing, and assembly, have them do tasks that involve disassemblers, debuggers, exploit code writing, and assembly. We had that problem, and we built Microcorruption to address it. But you don't need anything that elaborate.

I get that most firms don't hire this way yet (all of them will within the next 10 years). But so far as I know, none of the reputable firms rely on certifications. Of the top, say, 20 "offensive security" people I know, not one of them has any of these certifications.

If there's a major firm that outsources this stuff to certification programs, that would be surprising news for me.

SecurityAmoeba|9 years ago

Like I said, its a small firm (also not in the US so I don't have anywhere near the pool to pull from that you have I am sure). I also don't disagree with you like I said, I am just pointing out that it can be a legitimate way for some people to get a foot in the door at a smaller firm, or less 'reputable' one, before moving somewhere else. You need to pay your bills while you wait for other opportunities, or develop your skills.

I am slowly working towards moving us into a position where we have more practical methods of finding out if candidates understand the above, but it takes time for me to develop testing methods etc. while simultaneously completing everything that needs to be completed.

If you have any recommendations, I'm more than open!