A discussion of cybersecurity certs on twitter

cshkuru

It was getting kind of heated yesterday on twitter in response to a thread started by Perry E. Metzger (whom I have never heard of before, but who talks like he is a big deal.  Maybe he is I don't know.  The linkedin profile I found for a Perry Metzger, not necessarily the same one seemed impressive but not overly so).  I thought I would share and see if you guys agree or disagree.

Perry E. Metzger‏ @perrymetzger

I finally realized one of the things that bugs me about most security "certifications" out there. Computer security is warfare. No, really, it's war. There's an opponent who doesn't care about you, doesn't play by the rules, and wants to screw you as fully as possible. 1/

Now, you can do pretty well as a programmer or sysadmin if you're middle of the road, because that's not an adversarial game. Security _is_ adversarial. In warfare, you don't survive if you're second rate, you die. 2/

rest of the thread -

https://twitter.com/perrymetzger/status/1075928695058120705

follow on:  

https://twitter.com/perrymetzger/status/1076295153533497344

Replying to @perrymetzger @taosecurity

A security professional who can't program is like a surgeon who doesn't know much about biology. A security professional who doesn't understand the three most common attacks intimately is like an internist who doesn't know how bacterial infections differ from viral infections.

https://twitter.com/taosecurity/status/1076184320640012289

cyberguypr

The security realm is vast. Thinking a security professional NEEDS to know programming is extremely myopic and makes him sound immensely stupid.

Jaydel.Leach

3 words. Separation of duties.  It may help to understand code in case a developer is trying to pull a fast one on you, but definitely not the end all.  If anything I would say developers need to learn security.  Developers trying to get a project out of SDLC quickly without being security focused is probably why I am employed.

JDMurray

Learning programming is important for understanding "what's going on inside those physical servers and virtual machines in your data center (or Cloud). Computer hardware does nothing without software/firmware to drive it. How a firewall parses packets to make decisions, or how a website accesses information in a back-end database, are all fundamentally problems solved by software engineering, not by information security..

Is programming necessary for an InfoSec professional to be useful? No, there is more to securing information than just software. However, knowing programming sure makes you better at understanding the vast world of information security.

The real questions is, "How experienced does an InfoSec professional need to be in designing/implementing/debugging software for it to be useful in his/her career?" I don't think there is a way to quantify this. The more the better. It's important to touch on everything (OS, Web, tools, scripting engines, databases, exploit writing, etc.), but how deeply is up to you and your interests.

cshkuru

More discussion:

pathfinder‏ @path_braenaru 13h13 hours ago

Replying to @perrymetzger @taosecurity

I entered IT security, with a type of background in it, as i needed a certain income to provide and, compared to first subject (Biology), IT security is damn easy; it is NOT rocket science or surgery and you are delusional to compare to these things As I said, get over yourself

and

Alfie John‏ @alfiedotwtf 12h12 hours ago

Another perspective: infosec is hard because it’s *not* a science, it’s an art. There’s no single exact science to achieve security. It’s heuristical, non-repeatable, and a lot of experimentation to build up the experience needed, and we’d still not have achieved perfect security

Replying to @alfiedotwtf @bizzyunderscore and

It literally is a science, as either the bits exist and are evidenced or they are not. It is much harder to deal with unknowns rather than designed, implemented systems. Try harder if you are trolling because otherwise you just look naïve

personally I find pathfinder's responses almost as unhelpful as the original thread.  In my opinion he is going to the opposite extreme from Metzger and minimizing the thought and work that security requires.  

JDMurray

Any security is certainly made difficult by the personalities and politics of the humans involved in it. I assume where pathfinder is everyone does exactly what he says and he has an unlimited budget.

TechGromit

No one has an unlimited budget, were I work we spend over 100 million dollars on cyber security over the last ten years, and while were in "compliance" with our security requirements, there's still more room for improvement.  The nature of our business requires us to stay competitive in the marketplace, so now that we met our regulatory requirements, the purse strings have been pulled a bit tighter over the last few years. I guess it's an adjustment for me, before money was no object to get into compliance, now that were compliance, upper management is rejecting spending on improvements, I would like to get to make my job easier. 

JDMurray

As your threats change so must your defenses.

LonerVamp

I saw some of the discussion on that topic. The guy definitely used some poor wording in various spots. I felt like this guy has some personal issues he was projecting out to the industry or something.

Security is both art and science, creative and objective. It's difficult, but it's also easy in that you have to do only just enough...but that "just enough" isn't definable. And so many orgs and people don't even do the basics correctly that we don't have to have a high bar for many security professionals.

It's a nuanced enough topic that it is pretty dumb to bring it up anywhere except in person over some beers or drink of choice. Half the time, security folks argue points at each other, not realizing they're on the same side and just really wanting to listen to themselves and not feel out the level of acumen in their dance partner first.