Systems programming to InfoSec -- career and certification advice please

I've been a firmware developer for 10+ years now. Spent all the years in C & a bit of assembly language programming, programming microcontrollers, device drivers, working with real-time OS, etc.

While doing all that, out of interest and curiosity, a few years ago I got trained (got myself enrolled in weekend classes) in EH, penetration testing, forensics, BackTrack, etc. But, somehow all that stopped after the course and I continued with my embedded systems programming job. Although never been in a managerial role, I got a certificate in project management.

InfoSec has always fascinated me, so now, what does it take to change domain and move to InfoSec? What sort of certifications - CEH, CISA, CISM, CISSP or some other - could help me in this regard? Would I be required to start with an entry-level infosec job? In the first place, is it wise to think about career change at this stage? I'm from India.

I'm totally confused and looking for some serious advice. Thank you.

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

JDMurray

Having a software development background is a huge benefit for many types of Information Security careers. You understand how the insides of software and firmware work, including security devices themselves, and you understand logical vulnerabilities created by bad coding and misconfiguration.

I would recommend that you move into application security, which looks for vulnerabilities in software designs and implementations. Many software teams now have dedicated security people to review code and act as security testers during the quality assurance stage of the Secure Software Development Lifecycle (SSDLC). This would also allow you to start studying "hacking" via the penetration tests you will need to develop for the software you will be testing.

Have a look at the objectives of the CSSLP certification and see if that's the type of InfoSec you would like to move in to first. Also search these forums for "OSCP" and check if application hacking is to your liking as well.

vccground

Will read more about CSSLP. A CEH isn't much of help in your view? Thanks a lot.

Danielm7

I'd look at the OSCP considering the training you've already done, it looks like it would fit well. When I read about security certs a lot of them get badmouthed by actual security people, the CEH is probably the biggest target. But for pen testing, I've never seen someone say a bad thing about the OSCP.

colemic

vccground wrote: »

Will read more about CSSLP. A CEH isn't much of help in your view? Thanks a lot.

In most 'lists' of certs that people create that they want to take, or think will benefit them, usually the CEH is towards the bottom (if it is there at all.) There are simply other certs that provide better value (both cost-wise and material learned-wise) than the CEH. Not that it's a bad cert to have necessarily, it's just not the 'most' beneficial.

Both of the certs JDMurray mentioned are solid, have respectability, and are becoming more visible (and valued) in the InfoSec space.