WingNews logo WingNews GitHub [2]
top | item 13878875

Ask HN: Should I become a security engineer?

14 points| isnetsecforme | 9 years ago | reply

I'm an undergrad majoring in Computer Engineering.

I've always been interested in security and love cryptography. I read up on ciphers, hash functions out of interest. I'm surprised when people say Keccak is the best but they've never heard of BLAKE2. I spend most of my day on a vulnerability whenever one is found, and why it happened. Whenever I write code, I consider malicious input from the user and take care to not let it break the application in any way. I have a mindset of simplicity rather than more features.

Is netsec the field for me? I can't seem to find the correct job title. I've been looking at some Security Engineer jobs but most of them deal with network engineering only, and talk nothing about knowledge in crypto and assembly, or experience with Android etc. Although I love networking, I can't find application oriented security jobs.

Where do I start looking? Where do you start looking when you want someone with a security mindset to test your application's security?

PS: I'm looking for a summer internship so if you're looking for an intern, I'd like to get in touch.

13 comments

order
[+] howlett|9 years ago|reply
I think what you mean is security researcher rather than security engineer.

The easiest thing you can do is e-mail all penetration testing companies who can find near (or far) from where you live and ask if they are looking for interns or graduates. Even if they don't advertise at the moment, there's a good chance you'll get a positive reply, because the demand is greater than the supply.

Most security companies have a research department which you'll be able to apply for, after you've joined (at least in the UK such departments require security clearance).

Also, having an OSCP or OSCE certificate will definitely get you an interview.

[+] jpgvm|9 years ago|reply
You definitely want to do OSCP if it's something you can afford to do.

Be aware however, it's not cheap nor is it easy.

Having your OSCP though will definitely land you job interviews and will go most of the way of landing the job itself.

[+] JSeymourATL|9 years ago|reply
> Where do I start looking?

Go where the fish are-- start attending conferences. Often the organizers wil have a discount rate for students. Sometimes they'll offer free admission if you volunteer at reception booth for a few hours. Being there in-person makes a big impact, it's a signal you're serious.

Here's good list > https://www.concise-courses.com/security/conferences-of-2017...

[+] alltakendamned|9 years ago|reply
If you want to do cryptography, it's probably easiest to get into it through an academic career. Please understand it's quite a small field where the amount of talkers largely exceeds contributors. Alternatively, start learning and contributing to open source crypto libraries and projects, you'll meet people who can help you.

It's funny you can't find application security job postings, most of the bread and butter work these days is web, mobile and penetration testing. Get into security consulting and you'll do this type of gigs till your fingers bleed.

I'd suggest you learn about security, there's plenty of good info and books to be found and try to apply it instead of talk about it.

Good luck.

[+] isnetsecforme|9 years ago|reply
Thank you for your reply.

I'm not interested in getting into cryptography research since I find it too theoretical. I agree with you about how it is a small field and I think I'll have a very small chance to make a valuable contribution to anyone if I get into cryptographic research.

I think I'll follow your advice on contributing to OSS crypto projects. I've used openssl and crypto++ but I've never really contributed to a real project.

Thanks again.

[+] stuffaandthings|9 years ago|reply
The best advice I can give you is to join a Security CTF team (your college may or may not have one, but there are others that are open to all).

Internships and jobs will open up from being part of a CTF group. It's also A LOT of fun* (*opinion).

netsec might not necessarily be what you're looking for. A position as a Security Researcher is probably what you most fit into... finding the right recruiter can also help you out a lot.

Another (and honestly, easier to get into) security industry is the public sector. Intelligence agencies, military intelligence branches, etc. They'll hire you based on personality and potential, and will train you further. This (in my limited experience) usually means less pay.

Hope this helps. Good luck!

[+] alltakendamned|9 years ago|reply
I like your CTF suggestion. But finding a job as a security researcher will be hard if you cannot show any experience.
[+] throwaway22417|9 years ago|reply
What is your opinion on starting out with government contractors?
[+] isnetsecforme|9 years ago|reply
Thanks for your reply.

Can you please explain what you think differentiates someone working in netsec from security researcher? And where do you think a Security Engineer position would fit in?

Thanks for the public sector advice. Although, I think I won't be a good fit.

Thank you!

[+] crestedtazo|9 years ago|reply
> I'm surprised when people say Keccak is the best but they've never heard of BLAKE2.

I think this is where you belong: www.reddit.com/r/iamverysmary