[Guidance required] This really is a bummer (irrelevant job)

mumair

Hi guys,

I just finished my Computer Software Engineering with a major in Information Security (but it was pretty basic and theoretical stuff, nothing hands on). So well, the thing is where i live there aren't many opportunities available in information security right now especially for fresh graduates since we don't have any hands on skills so to speak.

I was hoping for a job in a company as a Malware Researcher, but turns out they decided to freeze their hiring for an indefinite period of time. I had planned if I get that job, i'll work to pursue OSCP and OSCE alongside. But apparently I had no choice but to get whatever comes my way (because I am short on cash too, and I have to take care of my mother too), so just today i accepted a Job offer as an Associate Software Engineer working on Ruby on Rails. The real bummer is that they are having me sign a one year contract with them, during which if I have to leave, I'll need to inform them 3 months in advance.

Anyways getting to the point, I am really bummed out and sad, I wanted to pursue a career in IS, I wanted to get OSCP and OSCE, I wanted to be a pentester and what not. But i just don't know anything anymore, if I wasn't financially squeezed maybe I could've waited longer, way longer, and maybe had my way with a certification in the meanwhile. But what am I to do now? I just don't get it, after working one whole year as a developer, i will be sidetracked from all of this, and after one year I'll be standing right where I am today, in terms of IS. This all seems a bit emotional, because it is and I am bummed out alot.

You are all experienced and smart people here, what would you tell me at this point?

TechGuy215

Honestly, just take any job in IT that you can get to atleast get your foot in the door. I started just repairing computers, then graduated to Help Desk, Windows Engineer, and now Sys Admin. You may not be neccessarily using your degree or everything you learned, but the hands-on experience is worth its weight in gold. Just because your job title doesn't have something related to InfoSec doesn't mean you can't be involved with it. I stayed late many days, volunteered to help the InfoSec and Network Architecture teams on my days off, and the manager took notice. Just start from the bottom, show interest, perseverance, and ambition and you can work your way up gaining tons of experience along the way! You will get where you want to be, just keep working at it!

tpatt100

Just get any IT job like TechGuy said. While doing that make security a hobby and keep labbing. Find groups out there, I think there are some active folks here and build a personal network of people you can talk to about IT stuff.

da_vato

These guys have provided pretty good advice but keep working towards your certification goals also. The OSCP/OSCE will help you out when your dream job finally opens up so keep working at getting them. Rarely ever do any of us ever start out working in our dream job. So between point A and point B you have to ensure you are doing everything you can to actually get to point B?

lsud00d

This is a great opportunity to work with Ruby in a web framework/stack, and this is still very relevant to security. It may not be IS, but I would take this opportunity to look into AS (AppSec).

Since you're coming from a programming background (I'm assuming by the degree?) with a focus in security, if you got some real world xp under your belt you would be very valuable in AppSec. You won't get the impression from here that it's highly coveted but most people here aren't programmers/dev's. You need a specific skillset for AppSec, so take this job as an opportunity to explore a different side of security.

zxshockaxz

Dude, a software engineering job as your first job in IT is a great start! You could practice reverse engineering your software and making it more secure. Like the others have said, just make security a hobby so you can build up the skill. I wanna be a pentester as well, so I play wargames at work when I have down time.
Plus, Metasploit is written in ruby (correct me if I'm wrong) as are the exploits for the msf.

NotHackingYou

How will working for a year as a developer side track you?

JDMurray

Try to get a job as a software engineer working on InfoSec-related software. Although 99% of what you will be doing is software development and not actual InfoSec, it will give you some notice on your resume when you do apply for a real InfoSec job. Also, the more you can learn about the low-level details of how software runs on a computer the better at reverse engineering you will be. If you find that your interest is more towards Layer 7 Web application and server pen testing, start looking for job opportunities for Web programmers. Until you land your InfoSec dream job, you can always work on OSCP/OSCE/OWASP-like projects as a hobby at home, and volunteer your time to work on Open Source projects. (Volunteer work that will give you a reference is good for the resume too.)

mumair

lsud00d Yes i do come from a programming background, uptill now I've worked more extensively with C/C++, (a little Win32 API, a little Windows Driver Development for a rootkit actually, and some other stuff), and have also worked a little with C# (.NET), and at a VERY introductory level with Java.

zxshockaxz Yes i do think you're right about metasploit. Can you point me to the wargames that you frequent, I only really know about hackinglab for now.

CarlSaiyed It will sidetrack me, according to what I have been able to gather from asking around and discussing such that, after a year, I will have quite some amount of experience under my belt of RoR development to be specific. My pay would have been raised twice by that time (my contract talks about a biannual increase during its period since I am a freshie). My job requires me to work 9 hours a day (weekdays obv), that leaves little time for me to spend on learning something that is seemingly irrelevant to my job. However I still actually haven't joined so I don't know how much spare on-job time will I usually get. Anyways, what bothers me is that, after a year of my contract, when I'll be free to switch and hopefully financially in a better position, in the context of IS, I will still be standing exactly where I am right now. So if I do get an opportunity in IS, I will be starting from scratch, and it would seem like I wasted a year, and my pay would obviously be much less than what I would be getting if I continue in development at that time. This is essentially what I would want to avoid, this is what bums me out, and this is why I am seeking everyone's guidance.

JDMurray Well for the time being, I have accepted their offer, though i still have to officially sign the contract, which will most probably happen this Monday. So for now, I am seeing a solid 1 year of RoR development in my future, unless i somehow miraculously get to know about a opportunity 3 months in advance, so that I could give a 3 months prior notice of quitting my development job (thats what my contract requires). So like I explained a few lines above, after one year I also want to have excelled in IS too, not just development. Your idea of volunteering for projects does seem good, However I would like some direction in the types of projects and actual projects that I can volunteer in. Other than that I am very passionate about OSCP and OSCE, but to actually start OSCP I will first have to earn the money for it, so that will take some time. In the meanwhile what else could you suggest me to do in the spare time that I get?

And thankyou so much everyone for being this informative and helping!

DoubleNNs

Can't you still get your OSCP and OSCE while working on your current job?
And maybe try to negotiate the terms of leaving to 1 month instead of 3 months in advance.

JDMurray

mumair wrote: »

Your idea of volunteering for projects does seem good, However I would like some direction in the types of projects and actual projects that I can volunteer in.

Any work on a big-time, Open Source security tool or framework would turn some heads. I would have a look at what help is being asked for at www.owasp.org first.

mumair

DoubleNNs wrote: »

Can't you still get your OSCP and OSCE while working on your current job?
And maybe try to negotiate the terms of leaving to 1 month instead of 3 months in advance.

To your first question, I explained in my post above yours, the system just thought it was spam for some reason, and it took sometime to be approved!

And yeah well, I already tried that, but thats the thing, its their policy for Fresh Graduates, to have a one year contract and that 3 months prior notice thing. After the contract is over, after 1 year, I'll be able to work contract free with them, and then they would allow me to give a 1 month prior notice before leaving instead of 3!

NotHackingYou

I disagree completely. You still have 15 hours a day in which you can study, and you will have a year of experience as a developer which is nothing to scoff at. However, if you are convinced that this job is useless to you, I would advise you to decline the job and seek something that aligns more closely with what you think you need/want.

DoubleNNs

CarlSaiyed wrote: »

I disagree completely. You still have 15 hours a day in which you can study, and you will have a year of experience as a developer which is nothing to scoff at.

I agree. Simply putting 2-4 hours a day to studying more security-related topics every weekday, and maybe twice that on the weekends would get you pretty far. And within a year you will NOT be at the same place you are now, especially since you'll have the money available to take more opportunities.
I understand the anxiety and impatience however.

r0ckm4n

I echo everyone's comments on this not being a bad thing. If you were to study for both the OSCP and OSCE, it would easily take a year. Once you get experience along with your degree, and an OSCP and OSCE that will make it easier to find something in infosec. This is also a great opportunity to learn how to securely code applications and you could use infosec tools to ensure the software is secure. The coding experience will help you eventually get into appsec pentesting. Also it is easier to move into infosec with a current employer than getting hired by another company without infosec experience. I got my start in IT as sysadmin supporting, Windows, NetWare, and Linux servers. I later moved into the infosec group and a year later I was moved into the appsec group.

mumair

CarlSaiyed wrote: »

I disagree completely. You still have 15 hours a day in which you can study, and you will have a year of experience as a developer which is nothing to scoff at. However, if you are convinced that this job is useless to you, I would advise you to decline the job and seek something that aligns more closely with what you think you need/want.

I would've declined it, if I could see a possible IS opening for myself. But yeah I think I get it. Maybe it won't be as simple as it would've been had I gotten a start in the IS sector, but I suppose it all comes down to my determination then.

Thanks everyone for all the advice and the guidance, heres to hoping that I'll actually make all this worth something.

Master Of Puppets

The only one who thinks you have a problem is you This is, by no means, a bad thing. I'm getting the sense that you are somewhat familiar with the field you want to get into. As a result of that, you should realize this job is perfect. You will use this in security and you won't regret it. Don't worry and take the job, I'm sure you will see the benefits when you start in security. Good luck!

Jinuyr

Getting a job that you don't initially want should be enough of an encouragement to make you try event harder to get you where you want to be. Don't ever let the setback keep you down, they should encourage you to do even better and overcome what could be obstacles for you to reach your eventual goal.

Best of luck to you!

mumair

Thanks guys, if anything you've boosted my morale. I think only time will tell if I am determined enough to pursue my dream on my own, and who knows maybe my job would somehow end up helping me, atleast financially it will!

UnixGuy

Like everyone said:

1) Take the job, and learn everything you can at the job (To be a successful InfoSec pro you need a diverse real experience in many areas of IT).

2) Save as much money as possible to have a better financial freedom.

3) Nothing is stopping you from getting OSCP (Security+, CISSP, CEH, ..etc). Work on the certs after work, like we all do