21

I am a software developer (mostly .NET and Python about 2-3 years exp.) looking to break into the Computer Security field. I have a GWAPT cert and will have both GSSP-NET and Network+ certs by the end of july. I am a member of OWASP and ISSA in order to network and keep up to date on various issues in the field (I attend the meetings and try to get involved). What can I do to help me get a job in the computer security field as a pen tester or security researcher or really anything that will get me started in that field?

AviD
  • 72,138
  • 22
  • 136
  • 218
rayb0t
  • 213
  • 1
  • 6
  • 3
    This question should be of interest to you, though its not an exact duplicate (it doesnt discuss specifics of how to get the job): http://security.stackexchange.com/questions/3772/what-are-the-career-paths-in-the-computer-security-field – AviD Jun 21 '11 at 07:42
  • I want to follow the same path as you, but i am unsure. Did you got a job in IT Security and if yes what role/niche you chose? Isn't that a career suicide? – abracadabra Jan 03 '12 at 22:35
  • I ended up getting an entry level job doing vulnerability assessment. I think I now have more opportunities open to me than I did before. I still get requests to interview for programming jobs and am doing android dev on the side. – rayb0t Jan 08 '12 at 01:34

3 Answers3

12

This is the career path I've just taken (or am in the middle of, really). As Guillaume says, the best start is to focus on security in your current work. This could mean at your current job, or it could mean taking a similar dev post where you have the chance to concentrate on security.

What do I mean by 'concentrating' on security? If your dev team already follows a security development lifecycle, take on responsibility for some of the tasks as part of that SDL. If it doesn't, start introducing those tasks and leading adoption of an SDL.

Where Guillaume and I differ is at step 2: I didn't get and still don't have a CISSP or any other industry cert, though I do have a postgraduate software engineering qualification that includes security content. That wasn't necessary to getting into software security though: the route I took was to go out and find developers and talk to them about security. This means conference talks, podcasts, blog posts...I even wrote a book. Pretty soon you get recognised as "the security guy" in your chosen field, and the work comes to you.

I also disagree that you lose the ability to code. A lot of what I do now is programming: either implementing security controls for client products, writing tests to research platform security features or sample code to demonstrate security issues to fellow-developers.

  • both answered with pretty much the same content at pretty much the same time. That's always reassuring validation:-) – Rory Alsop Jun 21 '11 at 08:40
6

I made the move about 6 years ago. In short :

  1. Work on security in your current job
  2. Get your CISSP or equivalent
  3. Find a security job in an environment you know from your programming (Java, .Net, Linux, etc.)
  4. Never look back

I started to tackle all security related assignements in my development projects (I was team lead back then).

I passed my CISSP certification and waited a few months.

There was an opportunity where a security team needed someone with strong technical expertise, to balance a team where there were mostly networking experts or security policy experts.

I went back to development for a whole year and let me warn you : it is a one way street. You will learn lost of new stuff, but you'll loose the ability to write code blind folded ;)

ixe013
  • 1,912
  • 15
  • 20
  • 1
    "you'll loose the ability to write code blind folded " - I should hope so, that way you're looking at the code you write and making it much more secure ;). But I agree, my coding skills are less fluent now, though of a higher quality. – AviD Jun 21 '11 at 07:44
3

My background was in IT - long term system and network administrator and I sort of fell into security through it taking more and more of my day job...but you can't count on that happening to you;

I would add to @Guillaume's points with this:

Networking - in the people sense - is key.

Find your local chapter of OWASP, ISACA, ISSA, ISF depending on what your focus is, and join the mailing list, go to meetings...better yet, volunteer to host, sit on the committee, even present a talk (even as a newbie in the industry you will have your perspective on your areas of expertise)

Get known - this will give you more opportunities. It's always a simple fact - you might be right for a role, but if people don't know you, you'll never know...

As for certs, CISSP is useful, as is CISM - they both score very highly among recruiters (in fact you should have a look at this question on professional certifications)

Community
  • 1
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • Your point about certs is a good one. The recruiter speaking at BSides London said that industry certs are given similar weight to relevant Masters' qualifications. As I said in my answer, I didn't need a cert, but that doesn't mean they won't help. –  Jun 21 '11 at 10:36