Which route to take?

Hi,

Currently researching which route would be best for me to take, and hope someone can help

My goal is to work in the InfoSec field.

I have just gained a BSc in Computer Science, and must decide whether to continue on to do a Masters in Computer Information Security, or start gaining work experience or jobs and certificates. I believe I have good knowledge of the field, especially penetration testing. Furthermore I have been programming for a long time, and actively program for security (to aid penetration testing / intrusion / amongst other things...). Actively taken part in multiple 'bounty hunts hacks' (often successfully), such as googles reward scheme amongst others..

I don't have a piece of paper saying that I can do these things! + It would be great to be paid for it!
Would I benefit from a MSc, in terms of employability? (I mean, I would probably end up doing the certificated after an MSc anyway?)
Might it be better to gain certificates (end goal being CISSP) and possibly do the MSc later if at all / if need be?

Thanks,

Find more posts tagged with

Comments

the_Grinch

My suggestion would be to start getting experience. It's not that a Masters will hurt you, but in security experience means a lot more.

vlad06

I've been wondering about this.

To have a career in security, do you have to know how to program?

Master Of Puppets

vlad06 wrote: »

I've been wondering about this.

To have a career in security, do you have to know how to program?

Different aspects of security require different things but in short - yes. This is an essential skill the demand for which will only increase. You can be a network security guy and work with firewalls, ips etc. and not need it but you will still find scripting very useful. Even in that case, the programming knowledge will help because you will better understand the threats and, therefore, be better equipped to handle them.

For example, if you are a pen tester, programming is a must. I'm not even going to mention malware analysis and the like since the deal there is pretty obvious. Do yourself a favor and learn the basics if you don't want to go deep.

vlad06

Master Of Puppets wrote: »

Different aspects of security require different things but in short - yes. This is an essential skill the demand for which will only increase. You can be a network security guy and work with firewalls, ips etc. and not need it but you will still find scripting very useful. Even in that case, the programming knowledge will help because you will better understand the threats and, therefore, be better equipped to handle them.

For example, if you are a pen tester, programming is a must. I'm not even going to mention malware analysis and the like since the deal there is pretty obvious. Do yourself a favor and learn the basics if you don't want to go deep.

You have confirmed my worst fears.

I might start with Python then, what would you recommend?

Master Of Puppets

vlad06 wrote: »

You have confirmed my worst fears.

I might start with Python then, what would you recommend?

I think Python is the best choice. Also, how familiar are you with linux? That is again something that will be needed. Bash scripting will also be very nice and it is not hard at all. There is a lot of info about Python resources on the forum so if you do a search, you will find a wealth of suggestions and tips. If you need more help or can't decide on resources, feel free to ask. Good luck and don't worry - programming is not that scary once you start getting the hang of it.

JDMurray

There are many non-technical disciplines in Information Security that do not benefit from a background in programming (e.g., risk management, administrative policies, auditing, and physical security). In fact, I would say that most InfoSec people have never studied software engineering and truly have no idea how software really works. Yes, not knowing how to develop software limits the areas of InfoSec in which you can work, but it by no means excludes you from InfoSec as a profession entirely.

Doyen

Using your programming background, you could become a software auditor in the security field.

docrice

Software auditing is a big issue these days. With so much demand to create new software packages (or more likely, web and mobile apps), companies rush to deliver to market quickly ... and without sufficient security validation. This is why there tends to be a near-guarantee that attackers will find some kind of vulnerability once the app's made public. The mindset to think about how apps can be attacked is very much lacking based on my experience with the development community at large. It's all about creating functionality quickly, ensuring flexibility, and being first to market. This combination does not lend itself to secure development practices when management has short-term profit as the only practical driver. It's very much a deploy-now-fix-later approach.

There used to be a lot of emphasis on network perimeter design and endpoint management when it came to security, but today it gets right into the application and data layers as well. Knowing software will help greatly. I need to take the time to do some of this myself as it inherently limits what I can do or have insight into.