Wed, 30 January 2008
Rich and I were joined by a pair of special guests tonight, Marcin Wielgoszewski and Andre Gironda from the ts/sci security blog. The story goes something like this: Andre and Marcin plied Rich with beer after the last SunSec meeting until he agreed to let them on the podcast. In any case, Marcin and Andre bring a level of web application security knowledge we don't often have on the podcast. They'll be giving a talk at Shmoocon called Path X: Explosive Security Tools using XPath. Good luck guys, I just wish I could be there (with a couple shmooballs)
Wed, 23 January 2008
We're back to a standard format tonight with Rich and I catching up on
recent events in our lives and talking about current events in
security. We talk about our brief meeting while he attended Macworld
and I went to watch Fortify's New Face of Cybercrime. As I promised
over the weekend we talk about credit protection and the companies
offering it. Thanks to reader Ed, who gave us more information on the
companies in the field.
We wrapped up tonight with some career advice for reader Roman
Daszczyszak. Rich and I respond to Roman as best we can in a short
time, but I know there are others out there who will be able to add a
lot more to what we've said. I'm including Roman's email in the
extended show notes, please leave comments with suggestions of your own
for the next step in his career.
I've been listening to the netsec podcast for a couple of months now,
along with going back and listening to the older ones as my commute
allows. I recently listened to one referencing the August 2007 Security
Roundtable regarding security careers and wanted to ask some questions.
The SR podcast seemed to deal with the means of finding a security job,
which is always good to know, but I am more concerned with what types of
jobs are out there and what skillsets are "Good to have", "Must have"
I realize that information security is a large field, and skills for one
job do not necessarily translate into skills for another, but I believe
there is a great deal of overlap. Let me give a brief overview of my
own situation and maybe what I'm asking will be a bit clearer.
I'm relatively new to the IS field. My current job is an information
systems security guy for the US military, with 4 years
prior experience as a soldier doing similar work. As a soldier, I
was stuck with the 'many hats' problem, being lead systems
administrator, squad leader, information assurance officer, COMSEC
officer, along with my standard duties (Humvee driver and user-level
mechanic, etc). FYI, 'officer' is misleading; I was a junior enlisted
with a lot of responsibilities yet little authority. The job did give
me a taste for security work though, and once my enlistment was up, I
switched to being a contractor.
My current job has allowed me to focus on information security, but I am
the only person in the shop specifically tasked for it. Most of the
shop is composed of Windows systems administrators whose security
experience seems to be "rather light". I had hoped to work with a team
of security professionals first as a junior member, to gain experience
and sponge off their collective knowledge, but that isn't the case so far.
I have been working in this job for almost three years now and know that
I do not plan to stay more than an additional two years at most. It's a
good job, but I feel that I will have done all I can for them and me by
that point. I feel this would be different if I were not "on my own" as
it were, but I do not foresee that changing. Recently, I did obtain my
CISSP (partly my own initiative, partly due to DoD Instruction 8570.1
requiring certification for government IA personnel).
I am aware of several broad areas of 'jobs', such as a penetration
tester, security auditor (like your new job, congrats!), and
technically-specific jobs (firewall administrator, IDS administrator,
etc). In planning for 'my next step' I would like to figure out which
way to go, and thus what sort of skills are important (or will be, which
I don't expect you to prognosticate) in these areas.
The areas I feel are important are programming, understanding the basic
technologies "out there", understanding how they all work together, and
most importantly how the organization's business works so these
technologies can be applied securely. To that end, I read O'Reilly
books almost every night, along with going to school to finish my
Bachelors (see below for more on that). I'm working on learning Perl
for its versatility, yet I really hope to get a good foundation in
'programming' in general (via school and self-study) so that as
vulnerabilities come out, I can at least understand what it is and
really, how much of a threat it can be to an organization. I want to
understand the technologies, so that I truly can secure what the
organization is using (as well as know when the sysads are trying to
At the same time, I know security isn't all about technology; the users
and human processes are THE weakness normally. Does this mean I need to
pick up a minor or double major in Business? Will I hate myself
Speaking of school, I'm a 'non-traditional student' currently attending
a school that really caters to soldiers trying to pull off 'some sort of
degree while being in non-optimal locations', so the degree choice I
have for computers is 'Computer and Information Sciences' which really
feels like 'CompSci lite; aka lacking higher math requirements'. I have
the option of moving to a better location to get an actual Computer Science
or Computer Engineering degree, but I'm not sure if that would be relevant or
necessary to security.
I agree with the SR points about writing well, being able to network,
and sell yourself.. but my question comes down to, 'OK, I sold myself
and got the job; now what?'
Thank you for taking the time (in advance) to read this. I look forward
to your thoughts; I'm not expecting the 10 commandments or something,
just hoping for some sound advice from someone with more
experience/greater depth in the field than I currently possess.
Wed, 16 January 2008
Martin is flying solo on the podcast tonight, sort of. Rich is at Macworld this week and phoned in a two segments, one on Steve Jobs keynote address and one on security vendors at the show. Add to that one Mac-related security item and we've got a pretty Apple heavy show this week. Everyone else in anything related to tech is covering Macworld, so why not us?
Tue, 8 January 2008
We're back, just not as soon as we'd hoped. I'm on some older sound
hardware, since I'm waiting for the coffee to finish drying inside my
Yamaha mixer after last Friday's server meltdown.
And maybe older is better, since Rich and I had pretty good sound this
week. We're getting the year started with a topic that's near and dear
to both Rich and I, Privacy. Rich will be at Mac World next week, so I
may be flying solo. Won't that be strange?
If you haven't already done so, please subscribe to the FeedBurner RSS. The old ones are permanently broken.