Slashdot Mirror
Ask Slashdot: Security Certification For an Old Grad?
An anonymous reader writes: I graduated in late 2003 during the tech bubble burst with a below 2.5 GPA. I am 35 with an interest in getting a security job. What are the chances that I would be just wasting my time and money? I am pursuing business interests with a patent used in a service that will be a prime target for hackers. I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment?
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc).
If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
"First they came for the slanderers and i said nothing."
All it says is how hard you leaned on the grindstone fifteen years ago. Totally useless as a predictor by the time you're four years out of university (some would say much earlier). You got the degree, you've been exposing yourself to technologies, you're staying more current than some (not very good) currently-employed programmers and security guys. Put that GPA out of your mind entirely.
Tell them the patent number, that'll be more credible than just saying you have one. There's a 10+ year job history gap there? Certificate wise start with Network+, cissp.
Screw you, young'un.
The submission was unintelligible. It makes zero sense. Who is approving these articles?
My suggestion is stop believing this crap "Old Grad", you're hardly old, and you're just as able as anyone to pursue this.
"If any question why we died, Tell them because our fathers lied."
Somewhat expensive?
Cost:
https://www.isc2.org/uploadedF... (it's a pdf so...)
In addition there's an "experience waiver".
https://www.isc2.org/credentia...
Yeah aspx, you can tell they know their security (eye ball roll)
"If any question why we died, Tell them because our fathers lied."
You look to become a business partner, not an employee.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Never too old for college. Seriously I've shared a classroom with a few 50 year old's, with the oldest person being in his 70s.
That said, if you have a below 2.5 GPA...good lord, go get a new diploma and with a higher GPA. Only your most recent GPA counts. Getting a good GPA isn't hard, it just requires you to actually give a shit. Employers tend to not care so much for people who don't give a shit. When I was in high school, I think I had somewhere around a 2.0, but graduated college with a 4.0. Nobody anywhere knows what my high school GPA was unless I just tell them (I've never had anybody ask, come to think of it.) I didn't give a shit in high school. Anyways the good college GPA landed me a nice internship at age 30 (yes, you're never too old for an internship either) which connected me with some influential people, and now I have a job with a legit income.
Also having said that, if you're planning on working for somebody else, then who you know is often more important than what you know. This is an unfortunate reality of our system where it's risky to hire people because letting go of the lemons often comes with legal hurdles. The what you know part is a good starting point to build those connections though, you just gotta do something to stand out. My two things to stand out were: Having decent grades, and coming first place in a local technology competition.
Alternatively, you could start your own company, which in many cases doesn't need as much of the "who you know" component as climbing the corporate ladder often does.
Graduated with my bachelors at age 32, by the way.
What would *I* do? Learn to write coherent sentences.
If you do not have on the job experience, training means nothing. Unless the school you go to has an AWESOME placement program (yeah, right), it is a waste of time and money to go for classes or certs.
See, in this job market, you are your last job. You could have 10 years of experience and you take a job flipping burgers because your company laid off everyone in '09 - including the entire development department and offshored it - you will find that you no longer have "the skills" to do the job you did for 10 years prior (this happened to me). I went to classes for other technologies - .NET is big here - and NOTHING. No interviews. Not even a 'not interested' email.
So, I'd say take the money for certs and go into business and to hell with a technology career.
At the very least, it's telling you that you need to use Adblock+ :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
You can buy a genuine ID-10-T certificate if you really really want one. Seriously ... Slashdot should stop posting stories from anonymous sources.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Ditto, coming from someone who started my IT career when the submitter started elementary school.
As for Security+ certification, I have turned down many a contracts as an application developer with the DoD because the job description called for one where it had no relevance to the actual position. Just a check box on the job posting.
So the question you have to answer I think would be "Will the certification help or hinder your endeavor?". My opinion is that for a programmer, no (unless the application being developed is a network security application or a sysadmin tool(s) specifically meant to administer security).
From what I can see of others' responses, if you don't have ad blocking enabled you see a random ad. The submission doesn't make sense because it's SPAM.
I hate these crappy anonymous submissions with their ulterior motives.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I have no doubt the submitter is serious, but I think the reality is Dice is just data mining with this post. They want to hear feedback to make money on their main product. There were far fewer of these "I have X skills and need a job" posts pre-dice purchase.
I thought there would be a hue and cry for "Open Source It"... but I guess open source has too high a standard, based on the summary and link.
This issue is a bit more complicated than you think.
Thanks for saving me from clicking the link.
Malls are always hiring.
i would claim H1B status.
If your GPA is less than a 3, simply don't mention it. It doesn't matter. You're old enough to have experience now, so nobody is worried about your GPA.
Does any employer really care about how low your undergraduate GPA was twelve years ago? If you passed and got experience somewhere for a few years a low GPA doesn't even get in the way of applying for postgrad study in a lot of places.
it's risky to hire people because letting go of the lemons often comes with legal hurdles.
In the US, the legal hurdles aren't so much in the letting people go as in the making sure you don't violate the law while they're employed. I've seen so many employers blithely ignore technical (or sometimes more egregious) requirements for things like vacation rules, IC vs employee status, wage and hour rules, etc. that it's pretty obvious many are playing the odds that workers won't make a fuss.
The real risk of firing someone isn't that you'll fire them illegally; it's that now you've just taken away the primary reason they weren't calling you on the shit you've been pulling all along hoping you wouldn't get caught. This is why so many employers have taken to asking people to sign "severance agreements" that give them a pittance in exchange for a full release from everything the law will let them get a release for. Most people who've just been let go are either insufficiently savvy, too busy, or just plain too desperate for that last paycheck to be able to turn it down, even if the claims they might have against their ex-employer for labor code violations would amount to more money.
/tangent
Take some English classes.
"National Security is the chief cause of national insecurity." - Celine's First Law
I don't understand why the question is framed as one of employment. If the patent is valuable, the submitter should be hiring security specialists, not trying to become one from scratch. If the patent isn't valuable, then it has zero relevance to the job search unless the only reason it lacks value is because the submitter is crap at business. And if that's the case, why isn't the submitter trying to sell the patent for quick buck and use that to fund this interest in security credentials? I'm just having trouble reconciling the whole "I'm pursuing business interests with a security-related patent I own" with "I want to be someone else's hired gun for security work." Perhaps the problem is that the submitter is being disingenuous about the level of involvement in business discussions related to this patent - regardless, the first thing I would work on is creating a narrative that will make an ounce of sense to employers, because this one doesn't.
Also, I'm around the same age as submitter and haven't talked about my GPA in forever. Why are we talking about GPAs at all?? No one cares about your GPA 12 years ago. Seriously, no one. Far more worrying is the implication that a 12-year-old GPA is the most relevant thing you can talk to a potential employer about.
Good courses and certifications are offered by the SANS Institute (http://www.sans.org/). Black Hat organizes one of the premier security conferences, and also hosts many interesting courses (https://www.blackhat.com/). Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.
The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.
More good resources for software developers:
- CERT coding standards (https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards)
- OWASP (https://www.owasp.org) if you're doing anything related to the internet
There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:
Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.
Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.
Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.
Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.
Just send me an email :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Start by looking for and applying for jobs that you think fit you, and once you've read thoroughly through the postings for 10-20 jobs, you'll get a feel for what is required to get hired. If security certification is a must for most of them, and that is the only qualification you lack, then sounds like it'd be worth it. If they all say that 20 years of experience in the field is a must-have, then certification won't matter anyways.
As far as the GPA, you're fine because nobody puts that on their resume anyways unless they're trying to brag.
finds out that you made life a pain for your previous employer, well, he might find another reason to skip over that candidate
You can make life a pain for your previous employer after being hired by the next one, instead of before being hired by the next one. In other words.... be patient and bide your time, so long as you don't let any statute of limitations lapse.
Most lawsuits are settled, with non-disclosure agreements as part of the settlement. Only if it goes to court and gets publicity will the next employer be likely to find out.
Starting your own company requires knowing a lot more "whos" then ladder-climbing. It's called marketing, getting a bank loan, etc. Either way you're working your ass off to get somebody to like you.
It's just that if you're the kind of person who would start your own business it feels less like ass-kissing (despite the fact that all good salesman are kissing everyone's ass 40 hours a week) and more like doing your job.
As a hiring manager, when I look at resumes I am thinking, "if I hired this person today, what will they have done by the end of the week?" A 15 year old GPA is useless in this answer. The thing that matters most in resumes are technical skill and domain experience. Those two things will get an interview. The things that matter most in interviews are personality, hygiene, and are the things in your resume not complete bullshit.
I know smart PhDs from very good universities that I would never hire, because they wouldn't be able to do a damn thing useful for the business. I know a high school dropout that can generate more useful code than a guy with 20 years experience who wouldn't deign himself to learn Python. Getting a job has a lot less to do with formal credentials than you think, and the true value in these credentials comes in how you apply them lately, not the schooling you got a decade and a half ago.
You say you are writing client server code, and you have a patent. That you know how to write that code (technical skills), and that you have a patent (domain experience) should get you a job somewhere, assuming you are not an idiot in an interview. Make 90% of your resume about the technical skill and domain experience you've collected over the past 5 years. Leave the GPA off. Put name the school and the year you graduated, and nothing more. If you aren't bullshitting about the code you've written and the patent you got, then you will at least get an interview. If you are right for the job, nobody will give a damn about the GPA.
Revolution is the opium of the intellectuals.
If the patent is really good it can be worth over 10 times the graduation score you had over 10 years ago.
Add an up to date certification and a good CV and you may not have too much trouble getting a decent job unless you have a very disagreeable personality for a first impression.
I did graduate on a college level back in '87 and the last 15 years nobody have had any concerns about what I did graduate with. It's only people that graduates with titles like "Doctor" in a certain area that can ride on that for the rest of their working life.
Just show up at job interview in decent looking clothing without too many weird looking tattoos exposed. Not too strict, not too relaxed, one notch above what people usually wear to the workplace in question. Dressing too far above will cause the interviewer to feel uneasy.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Do any employers actually care what someone's GPA was in college? I don't think I've ever put that information on my resumé, and I've never had any prospective employer ask. Never. Yes, for a new college grad, it might be relevant, but for everybody else, going back to college would probably be a waste of your time.
IMO, you'd be much better off taking classes in a particular specialization that will be relevant to your future career as the original poster suggested, rather than wasting four years just to prove that you are capable of getting higher grades in a pile of non-major classes whose subjects mostly won't provide any real benefit in your future career.
Check out my sci-fi/humor trilogy at PatriotsBooks.
No one will ask for your credentials, certifications, qualifications, or skill level of any kind. Outside of very large corporations, military, or government bodies, no one asks -- that's just not how business works. It's been 25 years of running my own business from scratch. Maybe when I'm dead, someone will check to see if I was certified to do anything at all. I'm not, by the way. But, like I said, small business, and even medium business operates on direct trust, which comes from reputation and referral, not from accredited trust.
That changes the situation from "not getting the job at all" to "getting fired as soon as your current employer finds out about your whistleblowing".
Perfectly legal to fire someone for any reason or no stated reason (outside of blatant protected-class discrimination, and even then, good luck proving it) in the USA.
People have been (legally) fired for smoking tobacco at home or having alcohol metabolites in their system from a beer they had last night. If an employer decides you need to go, you go, technically legal or not.
Never underestimate the power of stupid people in large groups.
The lawsuit itself is a matter of public record. The allegations and parties involved will be on the record. The final resolution of the suit is much less important than the fact that it was filed in the first place. Filing the suit means that you are capable of questioning the wisdom of your ruling-class masters, and therefore are not to be trusted.
Never underestimate the power of stupid people in large groups.
There's a difference between developing an application with best-practice security in mind, and being an infosec worker. Security+ is great but it's overkill for most app developers.
Never underestimate the power of stupid people in large groups.
Statistics. If enough businesses open, a few of them will be lucky enough to not fold within 6 months. The rest don't fail for lack of trying or some bullshit Polyanna "If I visualize success and drink the kool-aid, then I will prosper" mindset.
The OP believes his business will fail because it's the most likely outcome. This does not prevent him from succeeding, it just prepares him for the reality of the situation, which is that starting a business is extremely risky.
Never underestimate the power of stupid people in large groups.
Perfectly legal to fire someone for any reason or no stated reason
No. For any non-prohibited reason, and if no reason is stated, then the court will be happy to infer the most likely reason, when the employee presses a complaint.
Since it's illegal to fire an employee over exercise of their protected employee rights, this would never get past HR. It's illegal to fire an employee in retaliation over exercise of their legal rights in court against a previous employer.
I don't know why everyone is pointing to more technical certs when you already have a software skill set. So, what you need to do is find a related security field so that you aren't killing yourself to stay abreast let alone learn a new skill. If you want a relevant cert, look at CSSLP. Then, you'll need to network, network, network. You'll have a hard time transitioning your career without knowing someone unless the person who is hiring you is not the person to be working for.
Your comment proceeds from the assumption that the company gives a flip about what's illegal and what's not. It is illegal to retaliate against someone for exercising a protected right, but it's not illegal to fire someone for being 30 seconds late or for "no longer being a good fit for our corporate culture". (Said culture being that employees should do as they are told and shut up). Both are perfectly legal.
And even if what they do IS illegal, their lawyers can most likely beat up your lawyers.
Never underestimate the power of stupid people in large groups.
The guy is 35 and has no relevant paid experience, just some "on my own time playing with code". By the time he gets any sort of cert, he'll be pushing 40. He'll be competing with people 10 years younger with years of actual experience. Nobody's going to hire him.
Who knows what he's been doing the last 12 years as a real job? Maybe nothing? He's got a 12-year gap in his job history that is getting bigger by the week.
For him that ship has already sailed. Also, linking to a spam site is uncool.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
it's not illegal to fire someone for being 30 seconds late or for "no longer being a good fit for our corporate culture"
No, however if they supply a bogus reason, that won't prevent the plaintiff from pursuing their claim, and the defendant will likely be called to "prove" they legitimately found them not a good fit for their corporate culture and the reason for doing so was a non-prohibited one, neither the employee nor the court has to (or is likely to) accept an employer's claimed reason at face value without evidence -- once a substantial complaint has been made, And if the accusing party can show employees are customarily 30 seconds late or not disciplined under those conditions, then the court will find the plaintiff's claimed reason quite persuasive after seeing that this behavior is abberent with regards to the organization's policies, when combined with the evidence of supplying a false reason or reason which doesn't add up.
And even if what they do IS illegal, their lawyers can most likely beat up your lawyers.
Attempted acts of violence in or out of the courtroom would be a quick way for their lawyers to wind up in jail.
Clearly that wasn't meant to be taken literally. What I meant by that was that the chances of your ex-employer having access to better (read: more expensive) legal counsel than you are quite high. They'll run up your legal fees to the point of making you bankrupt and unable to pursue the matter further.
You're probably thinking that'd be more expensive than settling with the plaintiff. You're probably right. But it could be worth it to the employer in terms of employee relations. After all, you kill one hostage, the others cooperate.
Never underestimate the power of stupid people in large groups.
If you can't get your software running under Linux or commercial *nix offerings, you're dead before you started.
I do not fail; I succeed at finding out what does not work.
If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc). If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
Be careful here. A cert's worth is not defined simply by the lessons that come with it. It is also pixie dust or glitter that you use in your resume.
I'm not joking. During the last recession, I became unemployed (just 7 days before my first child was born). I had the skills, and references, but I could not make any progress in getting interviews with my resume. Then it dawned on me to call one of the recruiters I was using and asked her if I could see the resumes of the people her firm has placed in jobs in the last few months, the ones with the better salaries (names and personal info blacked out of course.)
Every single resume I saw had some type of certification it it - SCJP, ECSP, whatever. I worked on Java for a decade, but never cared for certificates. But when I saw the resumes, I immediately took the SCJP exam, nailed it, and put SCJP certificate # on my resume.
That was the only change I made on my resume. And voila, I started getting calls.
At any given time, but specially during economic downturns, there is a ton of people looking for jobs, and HR departments get bombarded by them. And they rely on keyboards and certs to filter resumes to a manageable number.
It is stupid. It doesn't guarantee shit. But it is what it is.
In this career, anyone should expect a downturn once a decade (if you are lucky), or two or more if you live in an area with crappy local economies. So protect yourself by getting a few certs specific to your career (or the ones that are more popular in job searches in your area of residence.)
They don't make you a better programmer, but they can give you an edge in passing the moronic keyword filters put in place by HR departments.
It is stupid, but unless you live in a robust job market like SV, it is what it is. That's my personal anecdote. YMMV.
You're probably right. But it could be worth it to the employer in terms of employee relations.
It can be beneficial for your counsel, for things to turn out differently, in terms of employee relations ---- it will mean more $$$ for the attorney in the future from referrals and employees talking about it if things turn out in your favor, therefore, you might at least in theory be able to make a deal such as a contingency arrangement with the attorney representing yourself against the hostage taker to help ensure that doesn't happen; make sure to have done all your anticipatory homework well in advance of the action you are pursuing legal recourse against.
Just because they can afford counsel that charges a higher rate or requires more hours: it does not necessarily mean they will get as much more for their money as they paid for, especially if there is a strong case against them. If the facts are sufficiently strongly in your favor, then they will be wasting every cent, especially once you demonstrate bad faith in attempting to drag matters out --- and recover attorneys' fees from your fmr employer as well; they can hire more people or more hours of legal work, or attorneys who are in higher demand, however they will burn through a large amount of cash, and there is a point of diminishing returns. A great plumber can charge a bit more than a bad one, but a decent plumber who charges astronomical prices can't give any kind of assurance of a more effective job, just because their prices are high.
Perhaps it helps if you yourself go get some legal creds and then pursue your fmr employer as an attorney representing yourself, then they won't have much luck running up your hourly legal costs, and with your a$$ on the line, you might put more hours a day into that one case than your adversary's "high priced attorney" dividing his/her attention across 30 clients would even be willing to work on it.
Either that, or find an associate willing to help you press the charges pro-bono, and cost the former employer as many $$$ as possible.
You are proceeding from the assumption that it matters how good a case you have. The legal system is not about justice, it's about who has the best lawyers. And it's not just limited to legal costs; there would be PI harassment, character assassination, and other dirty tricks. I don't think you fully understand the depths to which some employers are prepared to descend in order to win cases like this, even if it ends up being a Pyrrhic victory.
And good luck getting ANY member of the bar to take on your case unless you have high-res video of someone describing how they're going to fire you illegally. Representing yourself has its attractions, of course, but without courtroom experience or being able to formulate a counter for some insane legal technicality that opposing counsel will pull because they can and fuck you, you're done. You've wasted all that time, lost, and made yourself unemployable. Even if you DO manage to find a lawyer that will take your case, that lawyer will also suffer the consequences of fighting his corporate masters. There are companies that will put an attorney out of business, even try to get them disbarred, if they cross them.
Even if by some miracle you DO win your case, or get a favorable settlement, you are forever associated with not putting up with your employer's shit. Once that gets around, you will not be hired elsewhere, and if you are currently employed, you'll be mysteriously laid off in a "reorganization" or because you're "no longer a good fit for the corporate culture" (which isn't a lie, the corporate culture could very well include "firing people who dare to not take all our abuse like a little bitch".) You'll be a "troublemaker" and "malcontent", and employers don't like to hire people like that, especially in a soft job market where there are probably 400 other applicants willing to eat the shit sandwich they're given and smile.
You sound like you think you live in an ideal culture, where the truth matters, and justice is more than a platitude. The courts can be bought.
Never underestimate the power of stupid people in large groups.
Its a DoD requirement for any position working in IT. It's not really a check box so much as CompTIA being in bed with the DoD.