Exploit Development/Malware Analysis Without CS Degree

the_Grinch

I'm thinking that is the area of security I'd like to work in. That being said most of the job postings I see seem to require a BS or MS in Computer Science. Would lacking that prevent someone with an IS related degree from entering that area?

paul78

I am guessing that the best way to find out is to apply to some of those jobs

Seriously though - I think like any job, the prove is really in whether you can cut it in the role and how to break into it. The area that you are interested in requires very good software engineering skills (and I'm not talking about web development or scripting). You have be quite proficient in reverse engineering someone else's code using a debugger and dissasembler. Some platforms like actionscript (flash) may be easier to do. But I suspect that reverse-engineering malware in assembly which may be using obfustating techniques could be quite challenging.

I've never reverse-engineered malware but I've reverse-engineered and debugged other low-level types of software like tcp stacks. It can be pretty interesting to try to figure out what's going out and find a bug when you don't have the source code.

the_Grinch

Thanks for the info paul! I am thinking that if I concentrate my Masters work on exploitation that might help in the job search.

paul78

Good luck Grinch in your masters.

BTW - I was re-reading my own post. I didn't mean to imply that you ought to start with Flash malware. The use of Flash as you probably know is quickly declining. I was just making a point that some types of malware analysis may be simpler because it can be easier to decompile because it's an interpreted language (Java being a better example.)

One thing to practice maybe just to grab your favourite debugger (I am partial to gdb but that's only because I grow up on it) and hook a few random apps and see if you can figure out how they work.

Hi Iris - I don't really know much about the malware analysis world but I would be surprised if certifications count for much. I think that to reverse-engineer an executable like a virus, having a low-level software engineering background is probably more important. Unfortunately, I can't really comment on value of the type of degress because I don't have one . Also, I've not come across too many certifications which test that type of knowledge other than GIAC's GREM.

Iristheangel

You know what... I have a little egg on my face because I read the body of the OP's post without reading the topic so I didn't realize he was talking about exploit development so my original post is a little inappropriate for the topic. My bad.

Paul - As far as certifications, I've met a lot of programmers over my life but not a lot of them that actually understand core security concepts or best practices. A CS degree may give you some good fundamentals in regards to programming but not so much in regards to security. That's why general broad-level security certifications where you learn security best practices would actually reflect well on you if you're going in for something that would combine the disciplines. Back in the wee days of MS when larger issues with security started to become a concern, Microsoft was basically forced to re-educate their programmers in security-specific programming classes. It did actually help subsequent Windows builds from falling victim to some of the issues of their... ahem... weaker attempts (Hey there, Windows ME!). It's not REQUIRED to get a programming-ish job but it probably will reflect well on your security understanding

paul78

Thanks Iris for that perspective. I found it useful. I'm sometimes pretty far removed from the perceptions of other IT professionals; that is the main reason why I hang out here.

the_Grinch

Thanks for all the info guys! I am definitely going to start networking as best I can. Already a member in the HTCIA and I'm thinking it might be time to join up with Infraguard as well. I also asked Joe McCray in regards to if Computer Science would be required and he said while it would help, given the programming training, few if any schools were teaching exploitation even at the higher levels. Seems I will be alright I think, if I can work well enough on my own and get up to speed on everything.

Jinverar

The Grinch

Good luck on the masters

I like all Irishtheangel’s points in this post.

Before I start again I need to vent because I had a very sexy couple paragraphs typed up when I got called away. The plug to the computer was sitting a little too far out of the wall and wiggled lose. The next few points are short and sweet.

I am recommending that you hit up a local business starter program. Normally they are around 500$ for free advice for a year. Register a personal business name for $20 and start the exploit research under your own business name. This way you will get many business write offs while you do the exploit research and malware analysis. It also helps for tax season. Work this side of you’re life while working another job. Then we will both have a fall back or start-up come retirement. Collecting a pension with a side business would be pretty sexy. i have already started my own business and have three clients while i work professionally. My business model details me keeping three clients every year until retirement.

aditionally a great place I noticed for malware research is the LinkedIn “malware research group” Do some analysis and post the research into the forums there and people will notice you.

My final point is that people do not need a CS degree for exploit research as people are selling pay for play exploits from $5000 - $60 000 dollars. The CS degree is great for learning how to program with some business aspects.

Just a few simple points that could help.

J:\>

the_Grinch

Awesome post Jinverar! Thanks for the info and you are definitely thinking along the lines I am!

the_hutch

From what I've heard, OSCP (and even more so, OSCE) covers its fair share of reverse engineering. Guess we'll be seeing real soon.