A discussion of cybersecurity certs on twitter

cshkurucshkuru Member Posts: 246 ■■■■□□□□□□
It was getting kind of heated yesterday on twitter in response to a thread started by Perry E. Metzger (whom I have never heard of before, but who talks like he is a big deal.  Maybe he is I don't know.  The linkedin profile I found for a Perry Metzger, not necessarily the same one seemed impressive but not overly so).  I thought I would share and see if you guys agree or disagree.

Perry E. Metzger‏ @perrymetzger

I finally realized one of the things that bugs me about most security "certifications" out there. Computer security is warfare. No, really, it's war. There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible. 1/

Now, you can do pretty well as a programmer or sysadmin if you're middle of the road, because that's not an adversarial game. Security _is_ adversarial. In warfare, you don't survive if you're second rate, you die. 2/

rest of the thread -

follow on:  

A security professional who can't program is like a surgeon who doesn't know much about biology. A security professional who doesn't understand the three most common attacks intimately is like an internist who doesn't know how bacterial infections differ from viral infections.


  • cyberguyprcyberguypr Mod Posts: 6,928 Mod
    The security realm is vast. Thinking a security professional NEEDS to know programming is extremely myopic and makes him sound immensely stupid.
  • Jaydel.LeachJaydel.Leach Member Posts: 43 ■■□□□□□□□□
    3 words. Separation of duties.  It may help to understand code in case a developer is trying to pull a fast one on you, but definitely not the end all.  If anything I would say developers need to learn security.  Developers trying to get a project out of SDLC quickly without being security focused is probably why I am employed.
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    Learning programming is important for understanding "what's going on inside those physical servers and virtual machines in your data center (or Cloud). Computer hardware does nothing without software/firmware to drive it. How a firewall parses packets to make decisions, or how a website accesses information in a back-end database, are all fundamentally problems solved by software engineering, not by information security..

    Is programming necessary for an InfoSec professional to be useful? No, there is more to securing information than just software. However, knowing programming sure makes you better at understanding the vast world of information security.

    The real questions is, "How experienced does an InfoSec professional need to be in designing/implementing/debugging software for it to be useful in his/her career?" I don't think there is a way to quantify this. The more the better. It's important to touch on everything (OS, Web, tools, scripting engines, databases, exploit writing, etc.), but how deeply is up to you and your interests.
  • cshkurucshkuru Member Posts: 246 ■■■■□□□□□□
    More discussion:

    pathfinder‏ @path_braenaru 13h13 hours ago

    I entered IT security, with a type of background in it, as i needed a certain income to provide and, compared to first subject (Biology), IT security is damn easy; it is NOT rocket science or surgery and you are delusional to compare to these things As I said, get over yourself


    Alfie John‏ @alfiedotwtf 12h12 hours ago

    Another perspective: infosec is hard because it’s *not* a science, it’s an art. There’s no single exact science to achieve security. It’s heuristical, non-repeatable, and a lot of experimentation to build up the experience needed, and we’d still not have achieved perfect security

    Replying to @alfiedotwtf @bizzyunderscore and

    It literally is a science, as either the bits exist and are evidenced or they are not. It is much harder to deal with unknowns rather than designed, implemented systems. Try harder if you are trolling because otherwise you just look naïve

    personally I find pathfinder's responses almost as unhelpful as the original thread.  In my opinion he is going to the opposite extreme from Metzger and minimizing the thought and work that security requires.  

  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    Any security is certainly made difficult by the personalities and politics of the humans involved in it. I assume where pathfinder is everyone does exactly what he says and he has an unlimited budget.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    No one has an unlimited budget, were I work we spend over 100 million dollars on cyber security over the last ten years, and while were in "compliance" with our security requirements, there's still more room for improvement.  The nature of our business requires us to stay competitive in the marketplace, so now that we met our regulatory requirements, the purse strings have been pulled a bit tighter over the last few years. I guess it's an adjustment for me, before money was no object to get into compliance, now that were compliance, upper management is rejecting spending on improvements, I would like to get to make my job easier. 
    Still searching for the corner in a round room.
  • JDMurrayJDMurray Admin Posts: 13,025 Admin
    As your threats change so must your defenses.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    I saw some of the discussion on that topic. The guy definitely used some poor wording in various spots. I felt like this guy has some personal issues he was projecting out to the industry or something.

    Security is both art and science, creative and objective. It's difficult, but it's also easy in that you have to do only just enough...but that "just enough" isn't definable. And so many orgs and people don't even do the basics correctly that we don't have to have a high bar for many security professionals.

    It's a nuanced enough topic that it is pretty dumb to bring it up anywhere except in person over some beers or drink of choice. Half the time, security folks argue points at each other, not realizing they're on the same side and just really wanting to listen to themselves and not feel out the level of acumen in their dance partner first.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Sign In or Register to comment.