Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: How to become a Security Engineer
8 points by zrpk on Jan 14, 2014 | hide | past | favorite | 10 comments
Recently there were some discussions about the Breaker 101 course, as well as OffSec and SANS certifications.

But it looks to me like there is no clear path on how to become a security engineer.

So what is your recommendation ? (from training/formation to actually finding a job in security)



Certifications are nice, but that does not necessarily make people a good IT security specialist.

There is no clear path, but there are many facets to learn about:

* Web application security and popular attacks (such as https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Proje...) * System and network security (learn to use BackTrack http://www.backtrack-linux.org/) * Understand and learn how to use crypto: e.g. known crypto algorithms and what they are good for, learn how to apply disk crypto, learn how SSL works, know how you should do password hashing. * Learn about phishing and social engineering * Learn about malware, botnets, and zero-day exploits.

Learn about all of them but try to become an expert on just one of these subjects by playing with tools. For example, set up a honey pot system to capture malware. Then try to find the malware on it, and then try to reverse engineer it.


http://www.matasano.com/articles/crypto-challenges/

Complete the Matasano crypto challenges and hope they offer to interview you.


I got a Masters degree in Computer Science and my research focused on software security. I got a bunch of offers to go into security when I graduated. (I decided I was more interested in building things than breaking them and chose a software development role at a startup instead.)

I would suggest working towards CISSP depending on your formal education. If you're interested in software security learn IDA Pro, start a blog, set up a honeypot, start analyzing malware you collect, and write about it.


I would recommend you course from NYU: http://pentest.cryptocity.net/

It covers most modern aspect of software security.


The term security engineer is a wide generalisation.

Start participating in CTF (capture-the-flag).

Go to conferences: defcon, blackhat, shmoocon, derbycon. Talk to people.

Read phrak.org.

Learn about the old-school hacker culture.

Hack stuff.


I hate to say it, but certifications do play an important role in getting HIRED as a security engineer.


My point being that you could start with getting some of the important certifications (CISSP, Cisco, etc.).


What have you tried so far? What were the results? Weighing any options currently?


so far i've only tried free stuff like OWASP WebGoat, and some online hacking challenges (hackthisite, hellbound hackers, ...)

i also took a couple of CS security classes in school but they were not really "hands-on"


security is a state of mind —NSA security manual




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: