A discussion of cybersecurity certs on twitter
Perry E. Metzger @perrymetzger
I finally realized one of the things that bugs me about most security "certifications" out there. Computer security is warfare. No, really, it's war. There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible. 1/
Now, you can do pretty well as a programmer or sysadmin if you're middle
of the road, because that's not an adversarial game. Security _is_
adversarial. In warfare, you don't survive if you're second rate, you
die. 2/
rest of the thread -
follow on:
A security professional who can't program is like a surgeon who doesn't know much about biology. A security professional who doesn't understand the three most common attacks intimately is like an internist who doesn't know how bacterial infections differ from viral infections.
Comments
-
cyberguypr Mod Posts: 6,928 ModThe security realm is vast. Thinking a security professional NEEDS to know programming is extremely myopic and makes him sound immensely stupid.
-
Jaydel.Leach Member Posts: 43 ■■□□□□□□□□3 words. Separation of duties. It may help to understand code in case a developer is trying to pull a fast one on you, but definitely not the end all. If anything I would say developers need to learn security. Developers trying to get a project out of SDLC quickly without being security focused is probably why I am employed.
-
JDMurray Admin Posts: 13,099 AdminLearning programming is important for understanding "what's going on inside those physical servers and virtual machines in your data center (or Cloud). Computer hardware does nothing without software/firmware to drive it. How a firewall parses packets to make decisions, or how a website accesses information in a back-end database, are all fundamentally problems solved by software engineering, not by information security..
Is programming necessary for an InfoSec professional to be useful? No, there is more to securing information than just software. However, knowing programming sure makes you better at understanding the vast world of information security.
The real questions is, "How experienced does an InfoSec professional need to be in designing/implementing/debugging software for it to be useful in his/her career?" I don't think there is a way to quantify this. The more the better. It's important to touch on everything (OS, Web, tools, scripting engines, databases, exploit writing, etc.), but how deeply is up to you and your interests. -
cshkuru Member Posts: 246 ■■■■□□□□□□More discussion:
pathfinder @path_braenaru 13h13 hours agoReplying to @perrymetzger @taosecurityI entered IT security, with a type of background in it, as i needed a certain income to provide and, compared to first subject (Biology), IT security is damn easy; it is NOT rocket science or surgery and you are delusional to compare to these things As I said, get over yourself
and
Alfie John @alfiedotwtf 12h12 hours ago
Another perspective: infosec is hard because it’s *not* a science, it’s an art. There’s no single exact science to achieve security. It’s heuristical, non-repeatable, and a lot of experimentation to build up the experience needed, and we’d still not have achieved perfect security
Replying to @alfiedotwtf @bizzyunderscore and
It literally is a science, as either the bits exist and are evidenced or they are not. It is much harder to deal with unknowns rather than designed, implemented systems. Try harder if you are trolling because otherwise you just look naïve
personally I find pathfinder's responses almost as unhelpful as the original thread. In my opinion he is going to the opposite extreme from Metzger and minimizing the thought and work that security requires.
-
JDMurray Admin Posts: 13,099 AdminAny security is certainly made difficult by the personalities and politics of the humans involved in it. I assume where pathfinder is everyone does exactly what he says and he has an unlimited budget.
-
TechGromit Member Posts: 2,156 ■■■■■■■■■□No one has an unlimited budget, were I work we spend over 100 million dollars on cyber security over the last ten years, and while were in "compliance" with our security requirements, there's still more room for improvement. The nature of our business requires us to stay competitive in the marketplace, so now that we met our regulatory requirements, the purse strings have been pulled a bit tighter over the last few years. I guess it's an adjustment for me, before money was no object to get into compliance, now that were compliance, upper management is rejecting spending on improvements, I would like to get to make my job easier.Still searching for the corner in a round room.
-
LonerVamp Member Posts: 518 ■■■■■■■■□□I saw some of the discussion on that topic. The guy definitely used some poor wording in various spots. I felt like this guy has some personal issues he was projecting out to the industry or something.Security is both art and science, creative and objective. It's difficult, but it's also easy in that you have to do only just enough...but that "just enough" isn't definable. And so many orgs and people don't even do the basics correctly that we don't have to have a high bar for many security professionals.It's a nuanced enough topic that it is pretty dumb to bring it up anywhere except in person over some beers or drink of choice. Half the time, security folks argue points at each other, not realizing they're on the same side and just really wanting to listen to themselves and not feel out the level of acumen in their dance partner first.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?