DigiNinja is Robin Wood, an experienced pentester with RandomStorm. In the week of Infosecurity Europe when thousands of security professionals descended on London, he gave an evening presentation at BSides attempting to provide the answer: Breaking in to Security. It was a time-slice of an ongoing project he is conducting.
“At least once a month,” he said, “I get asked how do I get started in security... what programming language do I need... what certification should I get?” Since his own answers would be prejudiced, he decided to crowd-source an objective answer; and invited existing security professionals to take part. The results are a little surprising.
For example, the majority opinion is that the ability to program is not essential to a security practitioner – just useful. And where programming is advisable, it is not the traditional programming languages like C or C++ that are most preferred. It’s script languages, with Python and Bash Scripting as the most recommended. Even batch scripting comes above C++ and Java. Wood rationalizes this as a practical rather than theoretical requirement: “Most programming done in security,” he told Infosecurity, “is creating small scripts to do things such as automate tasks or to help analyze data. Scripts are often single use and can be hacked together rather than having to be works of programming art which would pass full peer review.”
Another surprise is the professionals’ attitude towards security certifications. Fractionally more than half (51%) of security professionals believe that security certifications are either not useful, or useful only ‘for getting through HR’ (although Wood accepts that this could be interpreted as ‘yes, especially for getting through HR’). His own opinion is that the ability to show your skills is what is most important; and that may not necessarily be through certifications.
The key, however, is ‘mindset’. To get the most out of security as a profession, you need to be a hacker yourself. Not the modern criminal hacker/cracker, but the original hacker – the sort of person who as a child would dismantle a clock just to see how it works. “I know some very competent testers who don't have what I think can be referred to as the hacker spirit,” he told Infosecurity. “For them it is just another job.” For Robin Wood it is fun and a personal challenge. But he also thinks this attitude is important in a practical sense. “You can't really be innovative unless you are a hacker. Without the hacker spirit, it means the test you do today will be the test you do tomorrow until someone teaches you new skills. The hacker mentality would be looking for new things to do on every test and going out searching for new techniques.”