top | item 7056541

Ask HN: How to become a Security Engineer

8 points| zrpk | 12 years ago

Recently there were some discussions about the Breaker 101 course, as well as OffSec and SANS certifications.

But it looks to me like there is no clear path on how to become a security engineer.

So what is your recommendation ? (from training/formation to actually finding a job in security)

10 comments

rjprins|12 years ago

Certifications are nice, but that does not necessarily make people a good IT security specialist.

There is no clear path, but there are many facets to learn about:

* Web application security and popular attacks (such as https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...) * System and network security (learn to use BackTrack http://www.backtrack-linux.org/) * Understand and learn how to use crypto: e.g. known crypto algorithms and what they are good for, learn how to apply disk crypto, learn how SSL works, know how you should do password hashing. * Learn about phishing and social engineering * Learn about malware, botnets, and zero-day exploits.

Learn about all of them but try to become an expert on just one of these subjects by playing with tools. For example, set up a honey pot system to capture malware. Then try to find the malware on it, and then try to reverse engineer it.

whichdan|12 years ago

http://www.matasano.com/articles/crypto-challenges/

Complete the Matasano crypto challenges and hope they offer to interview you.

iends|12 years ago

I got a Masters degree in Computer Science and my research focused on software security. I got a bunch of offers to go into security when I graduated. (I decided I was more interested in building things than breaking them and chose a software development role at a startup instead.)

I would suggest working towards CISSP depending on your formal education. If you're interested in software security learn IDA Pro, start a blog, set up a honeypot, start analyzing malware you collect, and write about it.

manzur|12 years ago

I would recommend you course from NYU: http://pentest.cryptocity.net/

It covers most modern aspect of software security.

uwot|12 years ago

The term security engineer is a wide generalisation.

Start participating in CTF (capture-the-flag).

Go to conferences: defcon, blackhat, shmoocon, derbycon. Talk to people.

Read phrak.org.

Learn about the old-school hacker culture.

Hack stuff.

rman666|12 years ago

I hate to say it, but certifications do play an important role in getting HIRED as a security engineer.

rman666|12 years ago

My point being that you could start with getting some of the important certifications (CISSP, Cisco, etc.).

smartwater|12 years ago

What have you tried so far? What were the results? Weighing any options currently?

zrpk|12 years ago

so far i've only tried free stuff like OWASP WebGoat, and some online hacking challenges (hackthisite, hellbound hackers, ...)

i also took a couple of CS security classes in school but they were not really "hands-on"

andyzweb|12 years ago

security is a state of mind —NSA security manual