Slashdot Mirror
Ask Slashdot: Security Certification For an Old Grad?
An anonymous reader writes: I graduated in late 2003 during the tech bubble burst with a below 2.5 GPA. I am 35 with an interest in getting a security job. What are the chances that I would be just wasting my time and money? I am pursuing business interests with a patent used in a service that will be a prime target for hackers. I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment?
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc).
If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
"First they came for the slanderers and i said nothing."
All it says is how hard you leaned on the grindstone fifteen years ago. Totally useless as a predictor by the time you're four years out of university (some would say much earlier). You got the degree, you've been exposing yourself to technologies, you're staying more current than some (not very good) currently-employed programmers and security guys. Put that GPA out of your mind entirely.
Tell them the patent number, that'll be more credible than just saying you have one. There's a 10+ year job history gap there? Certificate wise start with Network+, cissp.
Never too old for college. Seriously I've shared a classroom with a few 50 year old's, with the oldest person being in his 70s.
That said, if you have a below 2.5 GPA...good lord, go get a new diploma and with a higher GPA. Only your most recent GPA counts. Getting a good GPA isn't hard, it just requires you to actually give a shit. Employers tend to not care so much for people who don't give a shit. When I was in high school, I think I had somewhere around a 2.0, but graduated college with a 4.0. Nobody anywhere knows what my high school GPA was unless I just tell them (I've never had anybody ask, come to think of it.) I didn't give a shit in high school. Anyways the good college GPA landed me a nice internship at age 30 (yes, you're never too old for an internship either) which connected me with some influential people, and now I have a job with a legit income.
Also having said that, if you're planning on working for somebody else, then who you know is often more important than what you know. This is an unfortunate reality of our system where it's risky to hire people because letting go of the lemons often comes with legal hurdles. The what you know part is a good starting point to build those connections though, you just gotta do something to stand out. My two things to stand out were: Having decent grades, and coming first place in a local technology competition.
Alternatively, you could start your own company, which in many cases doesn't need as much of the "who you know" component as climbing the corporate ladder often does.
Graduated with my bachelors at age 32, by the way.
If you do not have on the job experience, training means nothing. Unless the school you go to has an AWESOME placement program (yeah, right), it is a waste of time and money to go for classes or certs.
See, in this job market, you are your last job. You could have 10 years of experience and you take a job flipping burgers because your company laid off everyone in '09 - including the entire development department and offshored it - you will find that you no longer have "the skills" to do the job you did for 10 years prior (this happened to me). I went to classes for other technologies - .NET is big here - and NOTHING. No interviews. Not even a 'not interested' email.
So, I'd say take the money for certs and go into business and to hell with a technology career.
I have no doubt the submitter is serious, but I think the reality is Dice is just data mining with this post. They want to hear feedback to make money on their main product. There were far fewer of these "I have X skills and need a job" posts pre-dice purchase.
Lol, so I'm not the only one unable to understand that string of run-on sentence fragments.
Dear old dude,
If no one will hire you, it's not because of your age. It's because no one can understand you.
i would claim H1B status.
If your GPA is less than a 3, simply don't mention it. It doesn't matter. You're old enough to have experience now, so nobody is worried about your GPA.
I don't understand why the question is framed as one of employment. If the patent is valuable, the submitter should be hiring security specialists, not trying to become one from scratch. If the patent isn't valuable, then it has zero relevance to the job search unless the only reason it lacks value is because the submitter is crap at business. And if that's the case, why isn't the submitter trying to sell the patent for quick buck and use that to fund this interest in security credentials? I'm just having trouble reconciling the whole "I'm pursuing business interests with a security-related patent I own" with "I want to be someone else's hired gun for security work." Perhaps the problem is that the submitter is being disingenuous about the level of involvement in business discussions related to this patent - regardless, the first thing I would work on is creating a narrative that will make an ounce of sense to employers, because this one doesn't.
Also, I'm around the same age as submitter and haven't talked about my GPA in forever. Why are we talking about GPAs at all?? No one cares about your GPA 12 years ago. Seriously, no one. Far more worrying is the implication that a 12-year-old GPA is the most relevant thing you can talk to a potential employer about.
Good courses and certifications are offered by the SANS Institute (http://www.sans.org/). Black Hat organizes one of the premier security conferences, and also hosts many interesting courses (https://www.blackhat.com/). Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.
The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.
More good resources for software developers:
- CERT coding standards (https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards)
- OWASP (https://www.owasp.org) if you're doing anything related to the internet
There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:
Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.
Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.
Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.
Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.
Do any employers actually care what someone's GPA was in college? I don't think I've ever put that information on my resumé, and I've never had any prospective employer ask. Never. Yes, for a new college grad, it might be relevant, but for everybody else, going back to college would probably be a waste of your time.
IMO, you'd be much better off taking classes in a particular specialization that will be relevant to your future career as the original poster suggested, rather than wasting four years just to prove that you are capable of getting higher grades in a pile of non-major classes whose subjects mostly won't provide any real benefit in your future career.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The lawsuit itself is a matter of public record. The allegations and parties involved will be on the record. The final resolution of the suit is much less important than the fact that it was filed in the first place. Filing the suit means that you are capable of questioning the wisdom of your ruling-class masters, and therefore are not to be trusted.
Never underestimate the power of stupid people in large groups.