Unless you want to recant to people the OWASP top 10 and generally be useless don't listen to anyone telling you that certs (especially CISSP) are useful for breaking into (hah) the security field.

Generally security has 2 major schools, offensive (red team) and defensive (blue team). To be good at the latter you first need to understand the former. This means what you should instead be doing is learning the basics of exploitation. OSCP that was mentioned here is excellent but it's also not easy to complete right out of the box, you will want to start with easier stuff and work your way up to it.

One thing worth noting though is that it can be hard to transition from a build to break mindset. Which might mean even after you learn some decent exploitation techniques, binary analysis etc, that you might be better off batting for the blue team. Blue team mostly revolves our mitigations and defense in depth, which is why it's crucial you know red team to start... you can't put walls in right place if you don't know where the enemy is coming from.

Of course this really depends on if you want to be a real security expert and be damn good at what you do or if you just want to get paid for being in "security". If the latter you can ignore everything I said and just get the certs and tell people they need to tick X checkboxes.

> just get the certs and tell people they need to tick X checkboxes.

Sadly, this is the most common variety of security experts. Some of the security experts I have dealt with only know how to run a few tools to generate a pdf and would not even be able to explain things that their reports shows.

Seems like it is a low bar to become security expert but true security experts should be able to get really high salaries.

Correct.

Vast majority of roles still pay well but are populated by essentially trained monkeys.

The roles that demand actual knowledge and skill are compensated appropriately but it probably does require joining a unicorn startup or FAANG to make the most of it. i.e Cloudflare, Google, Apple in particular.

Have you taken the CISSP exam? Greater than 95% of the complaints I see on HN against certs generally and CISSP especially come from people who have never attempted them.

When I took it in 2010 it was 250 very large questions. You had 6 hours to complete the exam and it only had 60% pass rate despite a $700 fee and requiring an approved resume.

Also at all my major corporate employers there security teams. Almost never are those people red teams or blue teams. Almost all of them are policy people or operations people.

My complaint is against the people that hold them who then pretend to have an understanding of real security.

How many of those 250 questions are related to proper implementation of cryptography? How about side channel attacks? How about the relative effectiveness of mitigations like ASLR? How about SELinux? Seccomp/eBPF? I really doubt it.

I can bet you though that is has about 20 questions on SQL injection and input sanitization issues from the early 2000's. A big section on how firewalls are going to save you and that WAFs are the best things since sliced bread.

CISSP is a certificate for whiteboard warriors that 9 times out of 10 have zero practical experience and even less theoretical understanding of security.

It might help you land a job as a CISO a some random enterprise company but it's not going to help you successfully defend that company from any credible threat and it's -not- a credible certification for a proper security professional.

The only reason why it helps you land that job is they don't know what they are looking for and have zero ways to evaluate your potential effectiveness or measure your performance (unless you get pwned).

(There is some isolated cases of real professionals being forced to obtain such credentials for the sake of ticking boxes, they are excused)

I worked in information security for 10 years before I became a developer, so I seen both sides of the fence. Most developers believe they know more about security than they really do qualified by their owned invented nonsense and then invent all kinds of fictitious bullshit to qualify those invented opinions.

> How many of those 250 questions are related to proper implementation of cryptography?

Many. Back when I took the test there were 10 knowledge domains, one of which was cryptography, and cryptography by far got the lions share of attention.

The rest of your comment falls apart into some bizarre nonsense to explain an argument from ignorance. https://www.logicallyfallacious.com/cgi-bin/uy/webpages.cgi?...

If you no actual experience on the subject why would make such spurious biased recommendations?

My point is thus. You can't legitimately argue that you can reasonably understand modern security without understanding modern exploitation techniques. Furthermore you also can't say that a certification that doesn't test for any of this knowledge would then be useful for filtering candidates that have said knowledge.

That is not an argument from ignorance, that is simple fact.

If you are hiring for "security" at an enterprise company where the role generally consists of vendor management then sure, CISSP is probably exactly what you need/want.

If the certification was worth something it would feature more prominently in requirements for companies with excelent security orgs. Notice it's completely absent from https://www.tesla.com/careers/search/job/security-engineer-f... and https://boards.greenhouse.io/cloudflare/jobs/1727694?gh_jid=... and https://jobs.apple.com/en-au/details/200293563/product-secur...

Instead note the prominence of proven vulns, low level language experience, etc.

Lesson is simple. If you want to be good (and paid a shit ton) disregard certs, acquire CVEs.

This thread isn’t about kernel developers or experienced senior security scientists. It’s about a developer wanting to move into a security job. You have completely left reality to qualify some unrelated personal bias.

No, it's not.

It's about a clearly technical person looking to get into security that already makes a high salary and wants to retain that.

I gave (IMO) very solid advice on what to do and what to avoid if you want to remain technical and meet his desired salary. i.e learn the technical side first, do OSCP, land job somewhere that values security highly.

You haven't added anything of substance other than trying to argue from authority that somehow these certificates are useful without anything that would actually help him on that path. If you instead offered anecdotal evidence for how your certifications actually helped you in the real world I would be much more inclined to give you the benefit of the doubt but as it stands I think you are just offended that I don't consider such certifications to be worth the paper they are printed on.

The problem is why you would give that advise at all if you do not have any related experience? I do find that offensive.

I gave that advise based on what everyone technical around me that works in security also advises, additionally it's the path most of the successful ones have taken or wish they had taken.

My related experience is two-fold, yes I know many practicing professionals but additionally I am generally on the hiring committee for security so my opinion matters on whether or not a security professional gets an offer from companies I work at.

So I would say that is pretty relevant.

Hmmm....there are many many different aspects to security. Security Architects for example, dont necessarily need to understand the details of CVEs, but the general principles of defence in depth when architecting solutions. Similar to medicine or any other fields, there are sub areas that require specific experience. CISSP gives a good foundation for the security assurance type of roles. Those are security as well. I wouldnt focus only on CISSP if i was after a security engineer, a role that requires specific skills.

I've heard good things about OSCP, although I haven't done it myself.

There are some development jobs in security, which would obviously be an ideal position as you could leverage 100% of your skills. That's how I got my role. Some larger companies will have development teams that create tools for their security org.

Also, every security company out there - Mandiant, CrowdStrike, Kaspersky, etc hires developers all over the place. That would be a good spot to get a start.

Past that, there are a couple of possible options.

Larger companies will also have Threat Intel teams and those teams may work on custom solutions and require developers to help them with it. But it may be sort of tough to find a role without any security knowledge.

If you have a good amount of system admin knowledge, you could also look an Analyst role, and work as someone who responds to security alerts for an org. The problem is that you will likely take a pay cut for this type of role. The more senior level roles would probably pay you similar to what you're making now (I think), but that'll be 3-7 years of work.

I made the transition from software to security over a decade ago.

I took the academic route, and did a Master's degree in Information Security. I tried to get more security experience in my work.

Wasn't a fast transition for me, but I was fascinated by the subject, and wanted to really study it.

There's other and probably faster routes, but it really depends what interests you. It's a broad subject.

Offensive security can be good to learn, maybe look at doing something like OSCP.

Are there any academic programs you recommend?

https://www.heinz.cmu.edu/programs/information-security-poli... (less technical, policy focused)

https://www.cmu.edu/ini/academics/msis/index.html (more technical).

In either program you can take classes from any other graduate or undergraduate program at CMU (except music or acting).

I studied at Royal Holloway, which is one of the best Masters degrees out there in info sec.

It was also one of the first to offer it by distance learning back in 2003, which may have influenced my decision also ;)

A bunch of great answers.

I've been in offensive security for ~10 years now and am a staff at one of these billion dollar SV tech companies now.

If you want to do pentesting (though i prefer the team offensive security) my advice is to learn the basics of web app security with something like portswigger's course https://portswigger.net/web-security.

Since most tech is really API's and web apps this course would be able to get you productive and probably a jr level skillset. OSCP is also good but I find network hacks are not as applicable today thanks to the cloud, though the thinking process and creative puzzle solving could be worth it.

I would particpate in as many CTF type challenges as possible (http://www.xssgame.com) then apply to jobs. Make it clear you are a junior but good at Burp and web testing.

Good luck!

I would say that your mindset as a developer is a plus. You could start focusing on how to apply security knowledge on CI/CD pipelines which should be right now your daily business anyways (from a developer’s perspective). So how to make containers safe, dependencies always up to date. These are already hard problems to solve and your developers mindset and skill will help you: how to implement this stuff for yourself and also keeping a developer’s perspective in t CI/CD process.

Shift left on security. Make it a win-win situation for everybody

Answers might be more helpful if OP was a bit more specific on what they had in mind with "security", which is awfully broad.

Yeah. There's a very big difference between pen testing and coming up with SOC compliant processes.

So it is possible to make the switch (IMO) but, in Europe, I think you may struggle to find a matching salary when starting out in security.

To give you some idea https://twitter.com/tazwake/status/1451702586348818435?s=20 is actually (IME) pretty close to UK Infosec salary ranges.

Past that, if you're still interested, I'd say you want to focus a bit on what sort of security work you want to do, there's a massive range, and the qualifications and experience vary.

With a dev. background, something like Appsec work is likely to be the closest, or maybe DevSecOps. The advantage of both those paths is that they kind of sit between development and security, so you can leverage your existing development experience, when looking at roles.

Are there any possibilities for you to first work at a company doing full stack dev in a way that allows you to interact with security teams? Stuff like implementing the OWASP top ten? That was how I built up a skill set and knowledge base in security.

As with any lateral change you should consider if you'd really enjoy the change. Security is a very interesting landscape but it turned out I really enjoy having a more direct impact on product development so I haven't totally made the switch. But security experience has definitely made job searches easier, recruiters specifically target folks with product/security experience and there a lot of opportunities in the space.

That’s a good idea! Did you actively plan to change your path or was that something that just happened because it was interesting to you?

I did not actively change my path; I was exposed to security through my daily work as a full-stack dev at a security-focused startup, I had great mentors and colleagues who I was able to learn a great deal from, and I discovered I had a real knack and interest in cybersecurity. It's been fun, for sure!

Handy cert for pentesters is OSCP.

Train via hackthebox.eu

Most comments seem to focus on active security testing. My experience is that this is just 20% of what companies call Security.

80% of the effort is compliance, regulations and getting "holes plugged".

For one to be successful in corporate security, you better be good at PowerPoint and selling ideas / wishes.

Currently my role is managing a bug bounty program for a largish company. Getting a service on-boarded (explaining the benefits and expectations) is 40% of the work, agreeing with the service owner on the CVSS scoring 10%, getting a service fix a finding about 20% and the rest of the work is the cool stuff (validating findings, communicating with the hackers & setting a bounty).

So my "advice" to you would be, figure out what exactly you want to do "in Security". If you like to get your feet wet in the technical space, sign up to a Bug Bounty program and start searching. If you want to be administratively involved, by all means apply for any of the "looking for security officer / manager" job offerings.

My suggestion would be to move to something security adjacent that still uses your software skills.

Options:

   * devops (mentioned in other comments)
   * auth (lots of needs for crypto and other security knowledge)
   * cloud security (gobs and gobs of need for this)

You could do this by trying to transition internally, but that will be difficult because of your position as a contractor. You could try to get hired as a FTE by your current company.

Another option would be to seek out a security company that has dev needs. You could do this with a smaller company (like r2c), a medium size company (like snyk) or a large company with security needs (like github). At each of these companies, they'll probably want you full time.

I don't know about certs as a means for getting hired, but they certainly have helped me dive deeper into a topic (a forcing function, if you will). If you were into the cloud security option, for example, I'd probably get the AWS arch cert and then the security specialization.

HTH.

I moved from fullstack development to pen testing. I don't have any certs, but I'm working towards one purely because clients prefer it.

Previously I had worked for a startup in the finance space and had increasingly been more involved in the security aspects of our development process. I was impelled to make the jump to security because I wanted to dive deep into the topic and I knew I wouldn't get the depth of knowledge from my SWE job.

The majority of people in security I come across have a surface level knowledge of many topics and depth in perhaps one topic, which will give you an advantage in your previous domain (i.e. web applications).

In my country, the pay for pentesters is lower than for developers by 10-15%. In my experience day rates for testers ranges from 800-1400 EUR.

The easiest way to transition is to transfer internally in a company you already work for. However that doesn't seem like something available to you.

Try maybe looking for roles labelled "software security engineer" - those might be more likely to take a pure software background.

> I’m currently trying to get a CompTIS Security+ certificate.

Certs are not respected in the security industry, especially the easier ones like security+, to the point wherr its almost considered negative signal on a resume. Some of the harder ones like cssip are controversial in that it depends where you're applying whether or not its worth anything.

As a general rule, i would not bother with certs, but they can be useful as a general study guide sometimes, if you're not sure where to start.

> Certs are not respected in the security industry, especially the easier ones like security+

I'm a software engineer, but have no certs myself however I'm familiar with the security-related certs. I find it bizarre that an industry would find the certs useless, as certs at least give a baseline. You can give someone a bunch of tests at interview, but there's no way you can check someone's knowledge in just a few hours - unless your tests look something like the questions you'd be asked to gain a cert! I'm trying to get a Network+ cert, but it's taking me awhile due to the massive amount of stuff you have to learn...and Security+ is seen as the next cert after that. I've learnt a massive amount already, so cannot see why it would be useless or seen as a negative. It's almost like saying "nah we won't use this standard baseline, we'll be the judge!"

I wish the software dev industry would embrace certs a bit more. Hiring is basically a massive gamble. Recent example: chap I worked with who had been a programmer for decades...didn't know what Base64 was, and used globals a lot. This is basic stuff.

Its not that certs are inherently bad [although they are easy to game and tend not to be very related to job skills], its that they are highly correlated with not knowing anything.

People who know stuff have no need to gets certs so don't, even though they could easily pass the test. The end result is the only people who get certs are the people who have nothing better to put on their resume, which typically are bad hires.

I suspectcthe main reason cssip is worth anything to anybody is you have to have at least 4 years experience to take it, and having 4 years is definitely worth something.

I understand the premise and perspective here around certs, but as a hiring manager on dozens on hires it leaves me sick.

It’s chicken and the egg. How does a candidate get the experience if they cannot get the job for that experience? They up-skill via courses and certifications. Now certs are a red-flag for the opportunity they’re applying for?

We (Workiva) currently have an open rec looking specifically for people like you: engineers who are interested in pivoting into security. You're more experienced than the baseline that rec is designed for, but that's where negotiation comes into play :)

I hope you check us out: https://workiva.wd1.myworkdayjobs.com/en-US/careers/job/Ames...

If not with us us, then I have no doubt you'll find other companies looking for something similar. People in your shoes are in high demand.

That sounds super interesting! I’m still on a contract for at least 4 months. Is there a way to reach you? Mail?

Yeah :) easiest way is probably to DM me on twitter -- @ojensen5115

There is a lot of talent missing in security. You are ahead of those that have no operational experience with your programming background. Check out the certs others mentioned. Also decide what you want to do (or start with) in security? Risk management, vulnerability management, incident response, pentester/red-teamer, social engineer, SOC, etc. Also realize that you may have to start at an entry level. Tier I/II SOC work, for example, would give you some experience to leverage for other roles.

Recommended reading: https://securityhandbook.io/

Since you know Python... what about Threat Hunting?

I work with a Data Scientist turned Threat Hunter (which means you model and find stuff using data gathered for security).

Warning: like most data science-related jobs this can be a "lonely" position. I mean, very little people will understand you and your job but will buy the results.

CISSP.

A buddy of mine is KILLING it in security - and he got a 30% raise and a $100,000 sign on bonus from his new gig plus a $40K sales bonus less than six months after joining.

But you have to actually need to be interested in security to succeed.

Any company that values certs in InfoSec is not a company you want to work for. There are specific government roles that require certs, and thus there exist good companies that make a token nod to paying for their folks to get certified, but the CISSP isn’t going to teach useful skills and any company that says otherwise is a huge red flag.

Best route depends on what band of security you want to get into. Pentesting? Building systems? Incident response? It’s a big field. But essentially, would recommend getting your hands dirty, go poke at some bug bounty programs to get your feet wet. That’ll help you narrow down what you want to do and get a sense of what attacks look like in the modern era, which are the 2 really useful outcomes.

Palo Alto Networks. Government Clients....

It’s not clear to me what you’re trying to say? I specifically mentioned that there are roles that require certs due to government regulations, and at companies worth working for, you get hired as you are and they pay for you to hit whatever checkbox certs the role needs on paper.

We are on the same page. I mentioned CISSP as a goal to seek out.... not "start out the gate at CISSP"

The guy said he was a full stack SWdev for ~10 years... I am sure he is technical enough to understand the path...

We aren’t on the same page. CISSP is not a goal. For security jobs, there’s 3 possible states with regards to certifications (CISSP, SEC+, etc):

1. Your employer doesn’t care about certs, and their customers don’t care about certs, and so you don’t need to worry about certs.

2. Your employer doesn’t care about certs, but they have customers (like the government) who believe erroneously that certs are desirable. So your employer pays for you to go get the fancy piece of paper so their customers will pay them. This is no different than any other checkbox requirement from the customer.

3. Your employer cares about security certs. This is a sign that you don’t want to work there.

I second the cissp cert. Seems to be more prevalent or sought after than security+. I think GSEC is another cert, or group of certs, that I hear about more than security+ too.

I don't know about the money part. The $120k EUR salary already sounds high to me, and this $100k bonus stuff sounds very high to me also. Maybe these are outliers. The median for an infosec analyst seems to be $103k vs $110k for devs in the US.

https://www.bls.gov/ooh/computer-and-information-technology/...

It's also possible that I'm a jaded pessimist since I'll never make that sort of big money.

103k-110k (assuming that is total comp) sounds shockingly low for usa. At least i feel like it would be low for SF, maybe the rest of usa is dragging it down.

https://www.levels.fyi/comp.html?track=Software%20Engineer&s... shows much higher but maybe they only track higher end jobs.

Those are the medians. SF would be substantially higher. Much of the US would be pretty close. I think Levels has a bit of tech, and maybe high earning, bias. Places like Glassdoor and Indeed are showing similar results to the BLS medians.

I’m currently making the 120k EUR as a contractor which means I have no benefits. I have to pay health insurance, retirement plan, my work laptop, office space, etc. which is normally covered by your employer (at least here in Germany).

I think it’s comparable to 85k - 95k EUR/year if you are employed.

My total comp falls short of that range (adjusted for USD) and I still have to pay a hefty chunk for benefits too. Seems like the range you listed is around the median for the US. Not sure what it would be in the various EU countries, although I've always heard it's lower for many/most.

Reading about CISSP, this is listed as a requirement: - Possess a minimum of five years of direct full-time security work experience in two or more of the (ISC)² information security domains (CBK).

Looks more like an intermediate/senior level kind of certificate?

Yeah, it's not for getting into the field at all.

The cert you're pursuing, Security+, is much better suited for that.

You'll also learn about fencing requirements and where fire extinguishers should go.

CISSP is not a cert to get as an entry point into the field.

CISSP shouldn't be an entry level cert. Something like SSCP or CSSLP might fit better here.

You need 4 or 5 years experience in a few CISSP domains before you can get it.

So not a great one to pursue at first.

how do you even make 120k per year? what kind of software are you developing? what country are you based in exactly? how did you find your clients? sorry for asking so many questions, but I found it difficult to charge such a rate.

I’m based in Germany. Currently building a webservice with lots of different integrations, mostly Python. We basically build the whole thing, choosing our own stack. On my day-to-day I work on developing the platform but also on integration and lots of management to bring multiple parties on the same page.

I’m charging 100 EUR per hour which seems in line with what others with the same amount of expierence are charging. The client I’m currently working for contacted me through a freelancer platform here in Germany.

With me, there are three other devs working on the platform. I was their “first hire”, leading the team. Other team members charge a bit less at around 75 EUR per hour.

What is the platform you're referring to?

Might be gulp.de ?

What web framework do you use?

This is a bit of a tangent, and salary is often discussed on HN.

Companies whose software is important enough will gladly pay that.

There are two ways to get to a significantly higher salary; one is finding out what people who earn more do better than you, and do that, and the other is boldly asking for more. You can do either one or both. I've always felt better having some reason why I should have more. (Also, I always earned $93k-105k. I once had the option to earn $144k doing Drupal, and another time $122k at close to zero tax doing Blockchain, but my biggest career mistake so far was taking a job just for the pay raise.)