Ask Slashdot: Security Certification For an Old Grad?

An anonymous reader writes: I graduated in late 2003 during the tech bubble burst with a below 2.5 GPA. I am 35 with an interest in getting a security job. What are the chances that I would be just wasting my time and money? I am pursuing business interests with a patent used in a service that will be a prime target for hackers. I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment? Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.

Certification for programmers

[phantomfive]

If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc).
If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.

Forget the GPA

[Sowelu]

All it says is how hard you leaned on the grindstone fifteen years ago. Totally useless as a predictor by the time you're four years out of university (some would say much earlier). You got the degree, you've been exposing yourself to technologies, you're staying more current than some (not very good) currently-employed programmers and security guys. Put that GPA out of your mind entirely.

List the patent #

[DraconPern]

Tell them the patent number, that'll be more credible than just saying you have one. There's a 10+ year job history gap there? Certificate wise start with Network+, cissp.

Dice data mining

[bangular]

I have no doubt the submitter is serious, but I think the reality is Dice is just data mining with this post. They want to hear feedback to make money on their main product. There were far fewer of these "I have X skills and need a job" posts pre-dice purchase.

What would you do in this situation...?

[turkeydance]

i would claim H1B status.

GPA

[ckatko]

If your GPA is less than a 3, simply don't mention it. It doesn't matter. You're old enough to have experience now, so nobody is worried about your GPA.

Why employment if you own a patent?

[Holladon]

I don't understand why the question is framed as one of employment. If the patent is valuable, the submitter should be hiring security specialists, not trying to become one from scratch. If the patent isn't valuable, then it has zero relevance to the job search unless the only reason it lacks value is because the submitter is crap at business. And if that's the case, why isn't the submitter trying to sell the patent for quick buck and use that to fund this interest in security credentials? I'm just having trouble reconciling the whole "I'm pursuing business interests with a security-related patent I own" with "I want to be someone else's hired gun for security work." Perhaps the problem is that the submitter is being disingenuous about the level of involvement in business discussions related to this patent - regardless, the first thing I would work on is creating a narrative that will make an ounce of sense to employers, because this one doesn't.

Also, I'm around the same age as submitter and haven't talked about my GPA in forever. Why are we talking about GPAs at all?? No one cares about your GPA 12 years ago. Seriously, no one. Far more worrying is the implication that a 12-year-old GPA is the most relevant thing you can talk to a potential employer about.

Not a waste of time but...

[hlee]

Good courses and certifications are offered by the SANS Institute (http://www.sans.org/). Black Hat organizes one of the premier security conferences, and also hosts many interesting courses (https://www.blackhat.com/). Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.

The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.

More good resources for software developers:
- CERT coding standards (https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards)
- OWASP (https://www.owasp.org) if you're doing anything related to the internet

There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:

Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.

Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.

Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.

Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.

Re:Too old

[dgatwood]

That said, if you have a below 2.5 GPA...good lord, go get a new diploma and with a higher GPA. Only your most recent GPA counts. Getting a good GPA isn't hard, it just requires you to actually give a shit. Employers tend to not care so much for people who don't give a shit.

Do any employers actually care what someone's GPA was in college? I don't think I've ever put that information on my resumé, and I've never had any prospective employer ask. Never. Yes, for a new college grad, it might be relevant, but for everybody else, going back to college would probably be a waste of your time.

IMO, you'd be much better off taking classes in a particular specialization that will be relevant to your future career as the original poster suggested, rather than wasting four years just to prove that you are capable of getting higher grades in a pile of non-major classes whose subjects mostly won't provide any real benefit in your future career.