Related Links

Related Stories

  • Interview: EA's Spencer Mott
    From London’s Metropolitan Police to VP and CISO at Electronic Arts, Spencer Mott has had a colorful career with little end in sight. Here, he talks to Eleanor Dallaway about what the information security industry is up against, how the Sony breach impacted the whole industry, and how EA suffered a breach of its own in 2011
  • IP Expo: RandomStorm intros PCI DSS compliance in a box
    RandomStorm has launched a new appliance that it claims offers businesses PCI DSS compliance in a box. Known as MicroStorm, the appliance is being billed as unique in the current IT security marketplace.
  • Cashing in on Security Training
    At long last, a cybersecurity career field has emerged. The (ISC)² US Government Advisory Board Executive Writers Bureau examines where employment opportunities lie and how much you can expect to be paid in this very important sector
  • Seven Crucial Infosec Career Steps
    The (ISC)² US Government Advisory Board Executive Writers Bureau shares its wisdom and experiences from the perspective of career-IT and IT security professionals by focusing on the keys to a successful career. Read on for advice on how younger professionals can get the best out of this rewarding profession
  • The changing nature of the information security career
    It is often the case that the job we currently do has evolved from something that would be unrecognisable just 10 years before. John Colley, managing director EMEA for (ISC)², examines the progression of infosec careers over the past few decades, and makes some predictions about how the profession will evolve going forward

Top 5 Stories


How to break into security (as a professional)

30 April 2012

These are questions that students and unfulfilled geeks continually ask; and ones that all security practitioners receive more than any other. DigiNinja has tried to find an objective response.

DigiNinja is Robin Wood, an experienced pentester with RandomStorm. In the week of Infosecurity Europe when thousands of security professionals descended on London, he gave an evening presentation at BSides attempting to provide the answer: Breaking in to Security. It was a time-slice of an ongoing project he is conducting.

“At least once a month,” he said, “I get asked how do I get started in security... what programming language do I need... what certification should I get?” Since his own answers would be prejudiced, he decided to crowd-source an objective answer; and invited existing security professionals to take part. The results are a little surprising.

For example, the majority opinion is that the ability to program is not essential to a security practitioner – just useful. And where programming is advisable, it is not the traditional programming languages like C or C++ that are most preferred. It’s script languages, with Python and Bash Scripting as the most recommended. Even batch scripting comes above C++ and Java. Wood rationalizes this as a practical rather than theoretical requirement: “Most programming done in security,” he told Infosecurity, “is creating small scripts to do things such as automate tasks or to help analyze data. Scripts are often single use and can be hacked together rather than having to be works of programming art which would pass full peer review.”

Another surprise is the professionals’ attitude towards security certifications. Fractionally more than half (51%) of security professionals believe that security certifications are either not useful, or useful only ‘for getting through HR’ (although Wood accepts that this could be interpreted as ‘yes, especially for getting through HR’). His own opinion is that the ability to show your skills is what is most important; and that may not necessarily be through certifications.

The key, however, is ‘mindset’. To get the most out of security as a profession, you need to be a hacker yourself. Not the modern criminal hacker/cracker, but the original hacker – the sort of person who as a child would dismantle a clock just to see how it works. “I know some very competent testers who don't have what I think can be referred to as the hacker spirit,” he told Infosecurity. “For them it is just another job.” For Robin Wood it is fun and a personal challenge. But he also thinks this attitude is important in a practical sense. “You can't really be innovative unless you are a hacker. Without the hacker spirit, it means the test you do today will be the test you do tomorrow until someone teaches you new skills. The hacker mentality would be looking for new things to do on every test and going out searching for new techniques.”

This article is featured in:
Internet and Network Security  •  IT Forensics  •  Security Training and Education


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×