Breaking in to Security - The Conclusions, Part 1
At least once a month, sometimes more frequently, I get asked one of the following questions:
"I'd like to get a job in security, how do I get started?"
"What programming language do I need to learn to be a penetration tester?"
"What certification should I get?"
I usually try to answer these but doing it individually is inefficient, time consuming and, even if I try not to be, I'm naturally biased - I'm a web developer, program in Ruby and have two GIAC certificates my answers will be quite different to an ex-sys-admin who writes scripts in bash and has a CEH. So I figured why not poll the community and try to get definitive answers to these questions, this way when people ask I'll be able to point them at the data and let them decide for themselves. This article will attempt to summarise these results and acts as a companion to the talk I gave at BSides London 2012.
To collect the data I created an online survey and sent it out through as many sources as I could, to date I've got over 300 results and I'd like to say a huge thanks to everyone who completed it and helped with the advertising. If you want to see the full raw data I've published it and intend to try to keep it fairly up-to-date as more people answer the survey.
Even though I set this up to try to get unbiased results I soon got some feedback pointing out that some of the questions were biased towards a career in pen-testing, or at least the technical side of security, rather than security in general. Looking back at the questions I agree that there is definitely a bias in some of the questions but despite this I still feel that most of the answers will still give anyone wanting to start out a good idea of what to look for and give some good information.
I want to start with a reality check, if you think this is the reality of security work then you will be very disappointed:
If you are expecting something more like this then some people get to do this occasionally but it is still far from the norm:
The unfortunate reality is that this is more likely the situation for most people, be the desk be yours in your office or a make shift one in a server room.
Also, to continue to put a bit of a downer on things, depending on your role you could end up spending a lot of time in one of these:
and probably a lot of time in these:
Before you continue reading you need to understand why you want to get into security. If it is solely because you see it as a career where you can make lots of money or you've heard that it is a field with plenty of opportunities then, while it is potentially true, a job in the security field will be just like any other job and it will probably get boring and routine relatively quickly just like any other job. If you are getting in to it because of a passion for security and a general interest in how things work, the desire to break into, or secure things, or just because it is something you've always been interested in then it can be much more than a 9-5 job.
So, after all that are you still interested? If so then read on and I'll try to give you as much information as I can on getting started in what I think is an excellent career.
The questions I set can be broken into two parts, the first set are quantitive so lets look at some stats...
As you can see, the majority of respondents have been in the industry for at least seven years, that means a lot of industry experience has been collected in these results. The small number of people with less than a year in the industry is also useful as it helps give a fresh set of eyes and can help tell what is relevant to new comers today not 7+ years ago.
The job sector breakdown also helps explain where the answers are coming from, we have answers from as diverse sectors as penetration testers and vulnerability auditors through to helpdesk staff.
The first question that starts to answer the monthly emails is:
Do you need to be able to program to be a pen-tester?
|No, but it helps||194||61%|
As you can see from the results the vast majority of people feel that programming is a definite help but the number of people who say "No, but it helps" implies that there are plenty of people out there getting by in security without being able to program.
To qualify the term "programming" we are not talking about being able to write commercial grade software, most programming done in security is creating small scripts to do things such as automate tasks or to help analyse data. Scripts are often single use and can be hacked together rather than having to be works of programming art which would pass full peer review. The ability to read code also helps, especially on tests where a tester gets access to application source code. You may not be able to understand all of it but being able to work out rough workflows or spot obvious mistakes can be very useful for example when you have been able to grab a copy of the source for a web application you are trying to gain access to.
The obvious question associated to this one is "What Language?" When answers are given individually to this question flame wars often erupt, by collating responses from over 300 people the answer here is, while not definitive, at least a community decision.
As you can see, Python and Bash scripting come up top. Bash scripting being high up supports what I've already said about programming to help automate rather than writing full blown applications. Anyone interested in learning Python I can highly recommend the "Securitytube Python Scripting Expert (Spse) Course And Certification" http://www.securitytube.net/video/3786 .
The next question was about certifications and are they useful for practical learning or just to get past HR? The results are:
|Yes - but only to get through HR||141||44%|
I realised here after the survey had been running for a while that some people would have answered yes for some certs but "yes, HR only" for others so while the predominant answer is yes they are useful the split between the two may not accurately reflect the real views of the respondents.
As for which certifications are useful the top two come out as SANS/GIAC and CISSP. This is where the split mentioned above becomes evident as a number of people commented that while SANS gives very good practical training and certifications the CISSP is of more use to most people as a way through HR.
The vendor specific certs start a trend which will be discussed in more depth later on but cover not just security vendors but also general IT vendors. Cisco (CCNA), Microsoft (MCSE and its newer replacements), Linux and OSSTIM all got mentions as well as many others, check the raw data for a full list. The general opinion is that anyway you can show you have skills beyond your specific line of work will always be useful.
The low scores for the two CHECK certificates is as I would have expected, these are mainly UK based certifications so would not have been voted for by many people outside the UK. I personally have both these certificates and I would say that they both help when applying for UK based jobs.
The final quantitive question was whether conferences are worth attending. The overwhelming response here is yes with lots of people commenting that while they are useful as places to pick up technical skills their main use for a lot of people is for networking. This will be discussed further later but to summarise, the more people you know, and who know you, the more chance you have of getting the help you need when you need it. That help could be answers to questions or recommendations when it comes to applying for a new job.
This post is already a lot longer than I expected and has only covered the quantifiable results so I'll break here and come back to answer the more subjective answers in part two next week.