No announcement yet.

Getting started in the security field [books, resources, advice]

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Getting started in the security field [books, resources, advice]

    I would recommend that anyone considering entering the security field read this piece that ran on Securityfocus today. While by no means comprehensive (it almost entirely omits systems security, concentrating mainly on the network side of things), it does provide an overview of certain basic things you will need to know in order to be able to get a foot in the door.

  • #2
    Chris did a presentation entitled "Landing the Coveted Entry Level INFOSEC Job" at the March DC410 Meeting. View it at:
    You're either on my side or else you're in the way.


    • #3
      Pretty good article, thanks for posting it :)
      The only stupid question is the one that you dont ask.
      Or the one that ends up in dev/null.


      • #4
        Originally posted by enCode
        Pretty good article, thanks for posting it :)

        The information was very insightful. Thank you for sharing the article, and power point with us.



        • #5

          Good link... as far as something I am wanting to look into.
          I do think the guy was full of bull shit when he said:
          the ability to at least read code, and ideally program a little bit
          I guess it is all about what you want to specialize in... but still... the guys about two legs and a chode away from having his head up his ass.


          • #6
            Originally posted by Brandito

            Good link... as far as something I am wanting to look into.
            I do think the guy was full of bull shit when he said:

            I guess it is all about what you want to specialize in... but still... the guys about two legs and a chode away from having his head up his ass.
            I'd have to disagree here. I know that people come into security every day without any background of coding/scripting or any type of automation, but when you start working on larger projects it becomes an extremely necessary skill. Anytime you look at rolling out large patch deployments, or changing security settings on multiple machines, some type of coding/scripting should come into play, unless you are really keen on consoling into every box and doing it manually. :)

            Don't dismiss that idea that knowledge of code isn't a very important one in security. It may not be everyone's jumping off point, but they should at least consider it.
            Aut disce aut discede


            • #7
              Good find.


              • #8
                Another article about the basics:


                • #9
                  Great article!

                  I wish more people in the security field started out learning "the basics" before they make security their career path du jour.

                  I constantly see people looking for security positions in organizations that can quote router configs and firewall rules verbatim, but don't understand how a packet is built and routed.

                  (edit) Sorry all. I should have looked closer at the dates on the post.
                  "Ain't no party like a Deeeeeetroit party, 'cuz a Deeeeeetroit party don't stop."


                  • #10
                    One year later...

                    Hey, it is a sticky thread, so why the hell not reply? I have to say, after ten years in the industry, that it is absolutely essential for security professionals to have detailed knowledge of programming, scripting, and the program execution environment provided by one or more operating systems. To be blunt, I have never met a good security person that did not know how to write code and scripts. Some may have not written C in quite a long time, but they remember enough to apply source patches and understand what a stack frame looks like in memory on a x86 machine. Now understand that there is a big difference between understanding how to program and being a software developer.

                    I would not consider myself a software developer, even though I know x86 asm; C/C++; Python; Ruby (which rules btw); gdb; and a bit of lisp, perl, Tcl, shell, etc. I have written code for commercial products and implemented internal products that were several thousands lines of code. But being a software developer implies one is a master of CVS/Perforce/Subversion, profilers, various design methodologies, common and not-so-common algorithms and data structures, design patterns, and adheres to team development processes. I have little interest in those things and, no surprise, little skill in those areas. That is part of the difference between being a hacker and a software developer ;>

                    All that said, I agree with Don Parker (author of the securityfocus article quoted in first post) that understanding TCP/IP is very important for security professionals. Actually, for many years my colleagues and I would use questions about TCP/IP to do initial screening of potential candidates for security jobs. It was mind blowing how many people with credentials (either by actual certification, apparent job experience, or by reputation) would fail miserably on pretty simple TCP/IP questions. We would also notice that many experienced software developers had no real idea how TCP/IP worked either, and we would end up debugging their programs and application protocol implementations.

                    When people ask me what information they need to know to be good at security, one of my recommendations is always to read "TCP/IP Illustrated Volume 1" by Richard Stevens (RIP) and remember 30% of it :) My other recommendation is to learn an assembly language, C, Ruby/Perl/Python, and Lisp (in that order). I would now add IDA Pro to the list, since the ability to reverse engineer software is becoming an important part of the security realm.

                    The job that Don Parker is describing would be a network IDS analyst, and to be honest that is a boring and inconsequential security job. NIDS has ever decreasing value in the enterprise environment, and more attention is being places on application level vulnerability analysis and remediation, compliance verification processes and tools, and forward thinking to anticipate the direction threats such as phishing and client-side exploitation are taking and how to protect against them.
                    I program my home computer


                    • #11
                      This is probally old information, but i will post it anyway. The NSA has many programs for high school and college students wanting to get into the security field. I believe some of the programs include paying your college tuition and a guaranteed job when you graduate. Check it out at


                      • #12
                        This was a perfect thread for me. I am as green as they get! After many years of trying to figure out what exactly I want to do in the computer field, I finally realized that Security is where I want to be. Then, trying to figure out where to start and who's advice I should take, this thread answered that for me! This will be a good starting point. Thanks!


                        • #13
                          Article on this topic


                          From the beginning of the article:

                          Security Manager's Journal
                          By C.J. Kelly
                          NOVEMBER 07, 2005

                          My decision to stay in my current job for quality-of-life reasons
                          provoked emotional responses from several readers. Some of those who
                          wrote to me about that column [QuickLink 57182 [1]] had made similar
                          decisions. But a few, after reading about how I turned down multiple
                          job offers, asked, "Where are all these jobs you keep talking about?"
                          I felt compelled to do a little research on the information security
                          job market and present the results here.
                          PGP Key:


                          • TheCotMan
                            TheCotMan commented
                            Editing a comment
                            A user later in this thread mentioned that the URL provided to the article here is no longer working. A search with google found a new URL to the same article:

                            I did not feel comfortable abusing my mod controls to edit your post, but a comment works well enough. You are welcome to edit your own post if you want.

                        • #14
                          Getting started (and continuing) in the security field

                          I remember reading the article that skroo posted last year. Was definitiely time for a re-read.

                          Gaining and maintaining basic skills can be challenging in this field, as one also needs to stay on top of emerging technologies and what types of vulnerabilities they may introduce into an existing infrastructure. I speak from experience that running from short-term engagement to short-term engagement does not facilitate either one, and increases the challenge of keeping one's skills sharp in an ever-changing field. Nor does the necessity of maintaining useability percentages provide one the freedom necessary to "play" with their own creative ideas and concepts to share with others.

                          The article posted by Dark Tangent points out that opportunities to work in the field are out there, and are increasing. However, one must be cautious: While high salaries and sexy job titles may be a big draw, if one is too stressed and too busy to really enjoy their craft, there really is no point to it. I do what I do because I love it. And I want to keep loving it. And I want to always give good security advisory foo to my clients while maintain some semblance of a life. This last article as well as the first posted are good reminders of that which one should pay attention. Thanks, gentlemen.



                          • #15
                            Although some of the authors are real jackasses, this book might be of use to someone looking into the INFOSEC field. Never mind the title.

                            Aut disce aut discede