Re: career advice

On 22 November 2011 21:52, Nathalie Vaiser <nvaiser@xxxxxxxxx> wrote:
Hello all,

I'm hoping to get some direction/advice from some seasoned IT security

In short, I've been in IT for about 10 years (mainly as a system
administrator / helpdesk type of role - web servers).  I've always
been interested in security and have recently taken and passed the CEH
exam so that I can get some kind of foundation to build upon. I know
what I've learned so far is only the 'tip of the iceberg' and I've
been having difficulty deciding where I should focus my learning now,
in terms of preparing myself for a career in security, ideally as a
pen tester but possibly just in a defensive security role.

I find it ALL very interesting, but I've been struggling with finding
a direction and focus for myself.  My current job duties don't involve
much security work but I'm hoping to eventually grow into that role
there. For now I'm taking time outside of work to further my IT
security skills.

It seems 'web application security' is in high demand right now -
however - I'm not a developer nor programmer, and probably could never
be a good one if I tried (it just doesn't come easy to me).   I assume
if my focus would be on web application security I would need to know
more than just how to find vulnerabilities - I would need to be able
to at least consult or work with developers on fixing the problem, so
I'd be very limited and at a disadvantage without any programming
skills (am I right about this?).

I do feel I would be at a disadvantage, for example I've started
practicing using OWASP Webgoat and am struggling with parts of it,
mainly for my lack of knowledge of Ajax, SQL, etc..

If that is the case (that web application security shouldn't be my
focus since I have no programming/dev background), then I'm not sure
what to focus on, and what would make sense in terms of a viable
future career in security.  Possibly network security may be of
interest, which means I should probably consider studying for the CCNA
to get a much better foundation in networking.

I know no one can decide for me, but what I'm looking for is feedback
on what scopes I may want to consider in the security field that are
large enough that they do encompass a career/job position, with the
caveat that my programming/dev skills are currently nill, and even
though I am considering learning some kind of programming (probably
Perl or Python) I can't see myself ever being extremely proficient
with it.

Thanks in advance for any advice you can offer.


Reading this it looks like you've chosen web app just because you
think there is work going in that area but that contradicts what you
say earlier about being interested in security. My best advice for
this is look at what you are interested in and work on that area to
start with.

As you've been a sys-admin then maybe look at network security, if
your background is MS then what areas have you been working in, AD,
MSSQL, Sharepoint etc, if Linux then same question, configuring
Apache... Take that knowledge and look at how it can either be secured
or how it is naturally insecure. I'd guess you've made lots of
mistakes setting things up over the years, think of those and how many
of those mistakes others would also make, quick example, giving a DB
user full privs rather than just the limited ones they need. Start
with simple things like that and work up, see how others have
exploited these holes and add your own experience to it.

Basically have fun, there is no point in changing in to security and
ending up doing things you don't enjoy.


This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

Relevant Pages

  • RE: Career Choice
    ... Almost all PD and SO's have volunteer programs. ... now finishing up my Bachlers degree in Network Security. ... > you how much programming experience helps. ... My current studies have only one programming language course ...
  • Re: Forget the security industry!
    ... basic principles of programming are present in all languages. ... <can infect uninfected ones, it is essential that the internet ... that is MS and the rest of the security and software business ... a safe manner. ...
  • Re: career advice
    ... You may think programming doesn't come easy to you but that doesn't ... Likewise a majority of "Enterprise Security ... Make sure you know you're way around Backtrack, Metasploit, etc. ... Information Assurance Certification Review Board ...
  • creating virtual users
    ... Those of you which have written more than 500 lines of code knows that there exists tools which re-implement most of the system's features, to provide to the user an unified environment dedicated to programming. ... For example, when we run linux, we have a root user which is the creator of the system. ... Or I should say a bubble system, since in the (probably stupid, since I am not at all a security guy) idea I have, every user would be able to create users with less rights than they have. ... Also, using "$aptitude install libfoo-dev" will end nowhere, when it should install libfoo-dev only for current user... ...
  • Re: Snoop-proof DSP: possible?
    ... Is it possible to fabricate a custom DSP ... It is possible to make a custom or semi-custom chip, ... experts here think of the security in the Altera MAX-3000 CPLD. ... out the programming code. ...