Slashdot Mirror
Ask Slashdot: Security Certification For an Old Grad?
An anonymous reader writes: I graduated in late 2003 during the tech bubble burst with a below 2.5 GPA. I am 35 with an interest in getting a security job. What are the chances that I would be just wasting my time and money? I am pursuing business interests with a patent used in a service that will be a prime target for hackers. I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment?
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
Hey gramps, shouldn't you be looking into retirement?
If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc).
If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
"First they came for the slanderers and i said nothing."
All it says is how hard you leaned on the grindstone fifteen years ago. Totally useless as a predictor by the time you're four years out of university (some would say much earlier). You got the degree, you've been exposing yourself to technologies, you're staying more current than some (not very good) currently-employed programmers and security guys. Put that GPA out of your mind entirely.
Tell them the patent number, that'll be more credible than just saying you have one. There's a 10+ year job history gap there? Certificate wise start with Network+, cissp.
I don't get it, is this entire post advertising to sell nolink.com?
You can't handle the truth.
The submission was unintelligible. It makes zero sense. Who is approving these articles?
Do you have a link to something that describes the patent?
CISSP is the process and concepts cert. SANS GIAC certs are the "I actually know how to read tcpdump, use wireshark, metasploit, burp suite, etc" certs. Note that they are somewhat expensive and unless you need them for the job, I am not sure it matters. Security is important, but the truth is most don't care unless they've lost money due to lack of security (see: Sony). So you probably don't need the certs if you have already made the product. Just say it's secure, it works for everyone else even when it isn't. On the other hand, SANS training is excellent if you actually want to learn something. But you might not need the cert.
Why are you worried about who is going to employ you, when you are coding to employ yourself? If I were a Venture Capitalist, I would not give you money because it sounds as if you are planning to fail. If YOU don't believe your business will succeed, why should I?
My suggestion is stop believing this crap "Old Grad", you're hardly old, and you're just as able as anyone to pursue this.
"If any question why we died, Tell them because our fathers lied."
What's question? Why is the whole article written so shit? Why does the link point to some advertising crap?
Following the link in the article I was presented with the opportunity to obtain a certified six pack. What will that qualify me for and how much will I make?
You look to become a business partner, not an employee.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a day with it is about $2,000.(two thousand USD) Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it has been programmed in such a way that it is not traceable,it also has technique that makes it impossible for the CCTVs to detect you..For details on how to get yours today, email the hackers on : (atmmachinehackes @ gmail.com). Tell your loved once too, and start to live large. That's the simple testimony of how my life changed for good...Love you all ...the email address again is atmmachinehackes@gmail.com
What would *I* do? Learn to write coherent sentences.
If you do not have on the job experience, training means nothing. Unless the school you go to has an AWESOME placement program (yeah, right), it is a waste of time and money to go for classes or certs.
See, in this job market, you are your last job. You could have 10 years of experience and you take a job flipping burgers because your company laid off everyone in '09 - including the entire development department and offshored it - you will find that you no longer have "the skills" to do the job you did for 10 years prior (this happened to me). I went to classes for other technologies - .NET is big here - and NOTHING. No interviews. Not even a 'not interested' email.
So, I'd say take the money for certs and go into business and to hell with a technology career.
Two points, first the provided URL quasi-resolves to trash links. If that is the point of the patent I hope that Software Is Not Patentable Rebellion will strike you down and the SCOTUS will squash all software patents while specifically naming yours.
Second, 35? Oooh, scary number. Now, get off your butt and do something.
What kind of security? Mall guards certainly wouldn't garner a request at /. much less be a concern. Are you looking to profit from the security firm scams that are so prevalent currently? Like warning about a security hole in OS X that allows someone that has admin privileges to become root?
If you expect to do something, anything, in this software arena you need to be able to offer actual questions versus the babble presented.
It's basically a marketing problem.
My guess is a confidence building course will get him in the door better than a certification.
Also any paid experience is useful, even if it was just a one day consulting thing. "I did such and such and such, which determined this and that."
I have no doubt the submitter is serious, but I think the reality is Dice is just data mining with this post. They want to hear feedback to make money on their main product. There were far fewer of these "I have X skills and need a job" posts pre-dice purchase.
I thought there would be a hue and cry for "Open Source It"... but I guess open source has too high a standard, based on the summary and link.
This issue is a bit more complicated than you think.
Malls are always hiring.
i would claim H1B status.
You are still very young. I'm almost 47 and still in IT. I was IT security for a few years. Got my CCSA - CheckPoint Firewall cert and then moved into a Security+, and then a job-required Certified Ethical Hacker cert. The name "ethical hacker" sounds gay, but the cert is the most difficult I've ever passed except for my Novell cert, which is actually doing hands on -- like the Red Hat certs. I'm dating myself as 90s guy, but that's OK.
If you have the money, get a cert or two. Start writing a blog on security things that interest you. Solve a problem for a company, perhaps one you work for now. Attend Linux user groups or BSD user groups. Network with people. Leverage your existing skills into a security job. It's what I did. I went from Web hosting to Firewall engineer to penetration tester back to sysadmin with a focus on security in a Linux environment.
If you want it bad enough, you'll take the steps toward getting the job you want. The longer you wait, the more difficult it becomes.
If your GPA is less than a 3, simply don't mention it. It doesn't matter. You're old enough to have experience now, so nobody is worried about your GPA.
Does any employer really care about how low your undergraduate GPA was twelve years ago? If you passed and got experience somewhere for a few years a low GPA doesn't even get in the way of applying for postgrad study in a lot of places.
You just say "security" as the role you want to get into. What type? Intrusion detection? Forensics? Penetration? There are many facets to system and network security, and yeah, there is system and network security as two different fields as well. Oh, and then there's the physical security side of things, i.e., premise security, data center security, etc. So what type of "security" are we talking about, specifically?
ALL and I mean ALL the computer and network security jobs I see posted online are very specific about what role the position will have and what skillets (and therefore specific certifications) they want you to have. So, without some more specifics from you it's going to be difficult to give you a solid answer.
My advice, figure out what specific aspect of "security" you're interested in and cough up the several grand needed to take the courses necessary to then pay to take the test to become certified in that area. If it's multiple areas, then get one cert and a job and then go after the others. Showing the initiative and paying for this yourself shows commitment and should get you a job pretty quick and then they can help pay for the other certs you want or they would want you to have.
P.S. Putting a link to a parked domain in a /. post is not a good way to elicit responses from anyone that you'd want to get advice from. Tends to make them ignore you.
Take some English classes.
"National Security is the chief cause of national insecurity." - Celine's First Law
I don't understand why the question is framed as one of employment. If the patent is valuable, the submitter should be hiring security specialists, not trying to become one from scratch. If the patent isn't valuable, then it has zero relevance to the job search unless the only reason it lacks value is because the submitter is crap at business. And if that's the case, why isn't the submitter trying to sell the patent for quick buck and use that to fund this interest in security credentials? I'm just having trouble reconciling the whole "I'm pursuing business interests with a security-related patent I own" with "I want to be someone else's hired gun for security work." Perhaps the problem is that the submitter is being disingenuous about the level of involvement in business discussions related to this patent - regardless, the first thing I would work on is creating a narrative that will make an ounce of sense to employers, because this one doesn't.
Also, I'm around the same age as submitter and haven't talked about my GPA in forever. Why are we talking about GPAs at all?? No one cares about your GPA 12 years ago. Seriously, no one. Far more worrying is the implication that a 12-year-old GPA is the most relevant thing you can talk to a potential employer about.
BE SMART AND BECOME RICH IN LESS THAN 3DAYS....It all depends on how fast you can be to get the new PROGRAMMED blank ATM card that is capable of hacking into any ATM machine,anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago..It has really changed my life for good and now I can say I'm rich and I can never be poor again. The least money I get in a day with it is about $2,000.(two thousand USD) Every now and then I keeping pumping money into my account. Though is illegal,there is no risk of being caught ,because it
has been programmed in such a way that it is not traceable,it also has a technique that makes it impossible for the CCTVs to detect you..For details
on how to get yours today, email the hackers on : (atmmachinehackes @ gmail.com). Tell your loved once too, and start to live large. That's the
simple testimony of how my life changed for good...Love you all ...the
email address again is atmmachinehackes@gmail.com
Good courses and certifications are offered by the SANS Institute (http://www.sans.org/). Black Hat organizes one of the premier security conferences, and also hosts many interesting courses (https://www.blackhat.com/). Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.
The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.
More good resources for software developers:
- CERT coding standards (https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards)
- OWASP (https://www.owasp.org) if you're doing anything related to the internet
There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:
Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.
Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.
Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.
Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.
Start by looking for and applying for jobs that you think fit you, and once you've read thoroughly through the postings for 10-20 jobs, you'll get a feel for what is required to get hired. If security certification is a must for most of them, and that is the only qualification you lack, then sounds like it'd be worth it. If they all say that 20 years of experience in the field is a must-have, then certification won't matter anyways.
As far as the GPA, you're fine because nobody puts that on their resume anyways unless they're trying to brag.
Unless you are intending to apply to a college program your GPA is irrelevant. Your employer has no business knowing your GPA especially 12 years later.
On a related note, could anyone offer some good paths for computer forensics training? I've poked about Google off and on for a few years, and while I do find a few courses and the occasional book, they seem to focus on very old tech (Windows 95/98, for example) that doesn't seem relevant today.
How does one get started in this field? What should I be doing to get some experience?
Apparently your GPA sucked because you are an idiot who should have failed 7th grade English. Your problem isn't lack of experience or your GPA, you're problem is that you write like a stupid 10 year old (my smart 10 year old can write much more clearly than you). If your resume reads like your question it will give people a good laugh and then they'll toss it in the trash.
Until you can write clearly you have zero chance of getting a decent job.
As a hiring manager, when I look at resumes I am thinking, "if I hired this person today, what will they have done by the end of the week?" A 15 year old GPA is useless in this answer. The thing that matters most in resumes are technical skill and domain experience. Those two things will get an interview. The things that matter most in interviews are personality, hygiene, and are the things in your resume not complete bullshit.
I know smart PhDs from very good universities that I would never hire, because they wouldn't be able to do a damn thing useful for the business. I know a high school dropout that can generate more useful code than a guy with 20 years experience who wouldn't deign himself to learn Python. Getting a job has a lot less to do with formal credentials than you think, and the true value in these credentials comes in how you apply them lately, not the schooling you got a decade and a half ago.
You say you are writing client server code, and you have a patent. That you know how to write that code (technical skills), and that you have a patent (domain experience) should get you a job somewhere, assuming you are not an idiot in an interview. Make 90% of your resume about the technical skill and domain experience you've collected over the past 5 years. Leave the GPA off. Put name the school and the year you graduated, and nothing more. If you aren't bullshitting about the code you've written and the patent you got, then you will at least get an interview. If you are right for the job, nobody will give a damn about the GPA.
Revolution is the opium of the intellectuals.
If the patent is really good it can be worth over 10 times the graduation score you had over 10 years ago.
Add an up to date certification and a good CV and you may not have too much trouble getting a decent job unless you have a very disagreeable personality for a first impression.
I did graduate on a college level back in '87 and the last 15 years nobody have had any concerns about what I did graduate with. It's only people that graduates with titles like "Doctor" in a certain area that can ride on that for the rest of their working life.
Just show up at job interview in decent looking clothing without too many weird looking tattoos exposed. Not too strict, not too relaxed, one notch above what people usually wear to the workplace in question. Dressing too far above will cause the interviewer to feel uneasy.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Once your over 25 a degree or your GPA doesn't count for very much.
They only care what you did right out of school and what your doing now.
If you try to switch jobs, SysAdmin to a Programmer for example.. first they're going to think your Looney Toones, then they'll ask to see your portfolio and talk code.. they will not even Look at your Resume.. no matter how much time you spent on it.. except to gauge your personality.. mostly to see where you are on the Aspergers Spectrum. AN OCD candidate or ADHD is easy to spot when asking them anything listed on their Resume.. need I explain why to anyone?
If they take you seriously they will take you to meet various team members and they will try to interact with you.. that's the real interview.. and afterwards they will have a huddle and get back to you if interested.
The worst thing you can do is try to be Humble and sell yourself short.. if your confidence level doesn't match your Resume.. they will assume your dishonest or hiding something and if the candidate pool has two or three other people they will move on to an easier to "Read" candidate.
Older people tend to come off as insecure and distant.. or barely "there".. not focused on the moment.. but distracted.. which makes them a hard to justify hire.. its a big risk that they will ever be productive.. or continue to be "preoccupied" with something else.. marital problems, mortgage.. sick parents.. ect.. and asking about or stating the old phrase "Work Life Balance" you might as well never show up for the Interview.
If you have Harvard or Princeton on your Resume.. those kinds of people barely need to show up for an interview.. all they have to do is show "Attittude' and they've got the position.. or one will be made.. simply because of the "ambiance" of having one on staff makes a department or a startup look good. How old the degreee or what its in really doesn't matter.
A Phd is the kiss of death.. even for most startup positions.. your expected to be running your own business getting Federal or Corporate "Grants" with a Phd its like having an MBA and looking for an entry level position.. just doens't make sense.
How good is your driving record?
If it is good enough, then Uber or one of the long distance trucking firms would be a good source of income. You would need some training to get the license to drive a big rig, but that is a much smaller investment in time and money for a much more saleable skill than doing anything in programming. you could pursue your patent as a hobby.
No one will ask for your credentials, certifications, qualifications, or skill level of any kind. Outside of very large corporations, military, or government bodies, no one asks -- that's just not how business works. It's been 25 years of running my own business from scratch. Maybe when I'm dead, someone will check to see if I was certified to do anything at all. I'm not, by the way. But, like I said, small business, and even medium business operates on direct trust, which comes from reputation and referral, not from accredited trust.
Following the "client/server software" hyperlink in the summary resulted in multiple redirects, eventually ending on "Millionaire Singles" (dating site that claims to attract rich people). Just what this client/server software does, I don't know. But I do feel like I gave a hit to a website without gaining any information that was useful for understanding this topic.
not to mention the rest of the virtual clients crash that I have tried.
As an OpenBSD fan myself, I'd say there's a larger problem at work here, and relying on OpenBSD for this is not the best approach. There are some pretty serious programming issues if your program is regularly crashing on other systems that are generally reliable. Maybe some features of OpenBSD are somehow keeping a problem contained; your program really should not be having such a problem. Find a sufficiently skilled programmer that you can trust, and have him or her review your code. Get some help.
when they ask what qualifies me to have such ideas, I can say I have the credentials
Ooh, ouch. No. The certifications demonstrate that you were able to memorize some basic stuff okay. They might even test some skills (depending on the certification). They certainly do not provide a justification for having creativity. Although I'm also a fan of these credentials (and I realize that many aren't), this idea is simply not using the credentials for a purpose that they are really intended for. It's just not a good fit.
What qualifies you to have ideas is that you are human. What's more important is that you implement your ideas well, by creating software that is proven to work well. The software should be rock solid, stable. And, actually, that doesn't seem to be the case, since you mention that many operating systems crash with that. You might wish to pursue programming because you enjoy it, or a security profession because there are enjoyable aspects to that as well, but the justifications that you are proposing seem a bit flawed. I suggest revision/replacing these reasons entirely.
an H1-B visa.
I don't know why everyone is pointing to more technical certs when you already have a software skill set. So, what you need to do is find a related security field so that you aren't killing yourself to stay abreast let alone learn a new skill. If you want a relevant cert, look at CSSLP. Then, you'll need to network, network, network. You'll have a hard time transitioning your career without knowing someone unless the person who is hiring you is not the person to be working for.
With that GPA you should have no problem at all getting a job as a Security Guard.
If you can't get your software running under Linux or commercial *nix offerings, you're dead before you started.
I do not fail; I succeed at finding out what does not work.
If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc). If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
Be careful here. A cert's worth is not defined simply by the lessons that come with it. It is also pixie dust or glitter that you use in your resume.
I'm not joking. During the last recession, I became unemployed (just 7 days before my first child was born). I had the skills, and references, but I could not make any progress in getting interviews with my resume. Then it dawned on me to call one of the recruiters I was using and asked her if I could see the resumes of the people her firm has placed in jobs in the last few months, the ones with the better salaries (names and personal info blacked out of course.)
Every single resume I saw had some type of certification it it - SCJP, ECSP, whatever. I worked on Java for a decade, but never cared for certificates. But when I saw the resumes, I immediately took the SCJP exam, nailed it, and put SCJP certificate # on my resume.
That was the only change I made on my resume. And voila, I started getting calls.
At any given time, but specially during economic downturns, there is a ton of people looking for jobs, and HR departments get bombarded by them. And they rely on keyboards and certs to filter resumes to a manageable number.
It is stupid. It doesn't guarantee shit. But it is what it is.
In this career, anyone should expect a downturn once a decade (if you are lucky), or two or more if you live in an area with crappy local economies. So protect yourself by getting a few certs specific to your career (or the ones that are more popular in job searches in your area of residence.)
They don't make you a better programmer, but they can give you an edge in passing the moronic keyword filters put in place by HR departments.
It is stupid, but unless you live in a robust job market like SV, it is what it is. That's my personal anecdote. YMMV.
As GPA -> 2.5, chances -> just wasting time and money A.S.