Ask Slashdot: Security Certification For an Old Grad? 125
An anonymous reader writes: I graduated in late 2003 during the tech bubble burst with a below 2.5 GPA. I am 35 with an interest in getting a security job. What are the chances that I would be just wasting my time and money? I am pursuing business interests with a patent used in a service that will be a prime target for hackers. I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment?
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
Certification for programmers (Score:4, Insightful)
If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
Re: (Score:3)
Which by the way, the beginning certifications I would look at as a sysadmin would be: (in order of marketability)
CCNA
MCSA (get the 2008 version; the 2012 version is a lot harder and isn't any more valuable, mainly because nobody actually uses Windows Server 2012)
RHCSA
CCNA Security is a good overall certification to have if you want to begin in IT security, and IMO is more valuable than Security+ because not only does it cover all of the same material, but gives you a good background in network security on
Re: (Score:3)
I work in government, which is usually the last to get any new software. Basically everyone is on 2012 now.
Re: (Score:2)
Given that the network is the single most important component of any IT infrastructure, I'd say it's a winner.
No..... CCNA would be for a technical implementation expert, who could help support the technical work of implementing the security team's policies, not a security expert. Everything in IT is about the applications.
The network is just one of the many core resources supporting applications, and all core resources must be there for applications to work; the network is no more important than the
Re: (Score:3)
No..... CCNA would be for a technical implementation expert, who could help support the technical work of implementing the security team's policies, not a security expert.
CCNA Security is not the same thing as CCNA. And the curriculum (at least when I did it back in 2012) required an understanding of the usual concepts of social engineering, cryptography (i.e. symmetric vs assymetric, hashing, etc.)
In fact the NSA and CNSS both recognize having a CCNA Security certification as enough to be CNSS 4011 certified, which is a VERY good credential for anybody who wants to work in IT security.
http://www.cisco.com/web/learn... [cisco.com]
http://www.villanovau.com/reso... [villanovau.com]
Re: (Score:1)
...nobody actually uses Windows Server 2012
And yet this is currently modded Score:3. Unreal.
Re: (Score:2)
If you're going to get past the drones in HR, the more certifications you have, the better the chance that your resume will land in front of someone who has actual skills instead of the C-student debris in HR.
The easier it is to set DUMMY_MODE="On" on HR, the better your chances of getting through their completely non-arbitrary and totally relevant filters.
Cert Values for Programmers (my anecdote) (Score:2)
If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc). If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
Be careful here. A cert's worth is not defined simply by the lessons that come with it. It is also pixie dust or glitter that you use in your resume.
I'm not joking. During the last recession, I became unemployed (just 7 days before my first child was born). I had the skills, and references, but I could not make any progress in getting interviews with my resume. Then it dawned on me to call one of the recruiters I was using and asked her if I could see the resumes of the people her firm has placed in jobs
Re: (Score:2)
Forget the GPA (Score:5, Insightful)
All it says is how hard you leaned on the grindstone fifteen years ago. Totally useless as a predictor by the time you're four years out of university (some would say much earlier). You got the degree, you've been exposing yourself to technologies, you're staying more current than some (not very good) currently-employed programmers and security guys. Put that GPA out of your mind entirely.
Re: (Score:2)
Re: (Score:2)
And certainly, if the GPA is only 2.5 then don't list it. Leaving it off lets others assume it is higher.
Re: (Score:2)
Umm, no.
Everything on a resume should tout skills gained, responsibilities held or accomplishments. Accomplishments are what employers look for most (hence the trend in behavioral interviewing). A GPA on a resume means you either don't have enough work experience or haven't done much else. If getting good grades is one of your top accomplishments, you haven't proven much yet in the real world.
Sincerely,
A better recruiter.
Re: (Score:2)
FTFY.
Example: If you're going to post a JD that requires HIPAA experience, you should probably figure out how to spell HIPAA. (Hint: It's not spelled "HIPPA".) I'd write that off as a typo, except they did it four times in the JD.
Another example: The JD requires J2EE, Spring, all this other Java-specific stuff. Hey! Let's send it off to someone who doesn't even list Java on his resume!
List the patent # (Score:4, Informative)
Re: (Score:2, Informative)
No. Network+ is worthless. Ever plugged in an rj-45 and typed in a dotted decimal notation address? That is what a Net+ is worth. CISSP is good. CISA is well thought of. If you don't have the chops start with a Sec+. CCNA at minimum if you want to be considered knowledgeable in entry-level networking.
If you intend to do development/programming. Skip the certs completely. You won't need the in-depth, polished encyclopedic (but not often practical) knowledge. Dev houses don't know what many certs entail anywa
Comment removed (Score:5, Interesting)
What the? (Score:1)
The submission was unintelligible. It makes zero sense. Who is approving these articles?
Re: (Score:2)
Lol, so I'm not the only one unable to understand that string of run-on sentence fragments.
Dear old dude,
If no one will hire you, it's not because of your age. It's because no one can understand you.
Re: (Score:2)
The submission was unintelligible. It makes zero sense. Who is approving these articles?
Indeed. I was wondering for just a moment if I had time-warped back to April 1.
Re: (Score:2)
The submission was unintelligible. It makes zero sense. Who is approving these articles?
Now, let's be nice - maybe it's just someone who's trying to help out his fellow 2.5 GPA'er. Those folks are quite sociable, ya know.
Re: (Score:1)
Somewhat expensive?
Cost:
https://www.isc2.org/uploadedF... [isc2.org] (it's a pdf so...)
In addition there's an "experience waiver".
https://www.isc2.org/credentia... [isc2.org]
Yeah aspx, you can tell they know their security (eye ball roll)
Re: (Score:2)
Statistics. If enough businesses open, a few of them will be lucky enough to not fold within 6 months. The rest don't fail for lack of trying or some bullshit Polyanna "If I visualize success and drink the kool-aid, then I will prosper" mindset.
The OP believes his business will fail because it's the most likely outcome. This does not prevent him from succeeding, it just prepares him for the reality of the situation, which is that starting a business is extremely risky.
How depressing (Score:1)
My suggestion is stop believing this crap "Old Grad", you're hardly old, and you're just as able as anyone to pursue this.
Re: (Score:2)
My suggestion is stop believing this crap "Old Grad", you're hardly old, and you're just as able as anyone to pursue this.
I doubt the OP is concerned about being unable. The concern is convincing a prospective employer. 'Been there, done that.
I graduated in 1990. After nearly 7 years of high effort, I finally landed my first engineering job in 1997. What I found is that, even well into the DotCom boom,it was very difficult to get traction. Customers understood experienced engineers. While the demand was less, they knew what to do with fresh grads too. They did not know what to do with or even want to spend the time on an
Re: (Score:1)
Go into business for yourself, and today it's even easier with these funding websites.
Frankly the paragraph I read sounds like he had already given up, the "propaganda of youth" stifles all.
Re: (Score:2)
True. It took me until 2006 to start making the amount of money I was making in 1996 after a switch from engineering to IT.
Re: (Score:2)
Re: (Score:1)
Thanks for saving me from clicking the link.
Re: (Score:2)
Re: (Score:2)
You have a patent (Score:2)
You look to become a business partner, not an employee.
Re: (Score:2)
Re: (Score:2)
No, I'm not kidding. You get with other people that have patents, you start your own business.
Worked just fine for me and others. Find a market.
Re: (Score:2)
Unless, as is usually the case, your employer holds the patent, not you. You can't leave and keep using the patent without licensing it from your ex-employer, and good luck getting them to agree to that. I mean you just left the ranks of their wage slaves, your insolence must be punished.
"What would you do in this situation" (Score:2)
Here's been my experience. (Score:2, Insightful)
If you do not have on the job experience, training means nothing. Unless the school you go to has an AWESOME placement program (yeah, right), it is a waste of time and money to go for classes or certs.
See, in this job market, you are your last job. You could have 10 years of experience and you take a job flipping burgers because your company laid off everyone in '09 - including the entire development department and offshored it - you will find that you no longer have "the skills" to do the job you did for
Huh. I figured a different response. (Score:2)
You wanna work in security? (Score:1)
Malls are always hiring.
What would you do in this situation...? (Score:4, Funny)
Re: (Score:2)
The guy is 35 and has no relevant paid experience, just some "on my own time playing with code". By the time he gets any sort of cert, he'll be pushing 40. He'll be competing with people 10 years younger with years of actual experience. Nobody's going to hire him.
Who knows what he's been doing the last 12 years as a real job? Maybe nothing? He's got a 12-year gap in his job history that is getting bigger by the week.
For him that ship has already sailed. Also, linking to a spam site is uncool.
GPA (Score:4, Informative)
Re: (Score:2)
^^This is the truth^^
Re: (Score:2)
Probably silly question, but ... (Score:2)
Short answer... (Score:2)
Take some English classes.
Why employment if you own a patent? (Score:4, Insightful)
I don't understand why the question is framed as one of employment. If the patent is valuable, the submitter should be hiring security specialists, not trying to become one from scratch. If the patent isn't valuable, then it has zero relevance to the job search unless the only reason it lacks value is because the submitter is crap at business. And if that's the case, why isn't the submitter trying to sell the patent for quick buck and use that to fund this interest in security credentials? I'm just having trouble reconciling the whole "I'm pursuing business interests with a security-related patent I own" with "I want to be someone else's hired gun for security work." Perhaps the problem is that the submitter is being disingenuous about the level of involvement in business discussions related to this patent - regardless, the first thing I would work on is creating a narrative that will make an ounce of sense to employers, because this one doesn't.
Also, I'm around the same age as submitter and haven't talked about my GPA in forever. Why are we talking about GPAs at all?? No one cares about your GPA 12 years ago. Seriously, no one. Far more worrying is the implication that a 12-year-old GPA is the most relevant thing you can talk to a potential employer about.
Re: (Score:3)
Because Dice bought /.
Re: (Score:2)
Not a waste of time but... (Score:5, Informative)
Good courses and certifications are offered by the SANS Institute (http://www.sans.org/). Black Hat organizes one of the premier security conferences, and also hosts many interesting courses (https://www.blackhat.com/). Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.
The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.
More good resources for software developers:
- CERT coding standards (https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards)
- OWASP (https://www.owasp.org) if you're doing anything related to the internet
There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:
Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.
Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.
Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.
Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.
Well... (Score:1)
Start by looking for and applying for jobs that you think fit you, and once you've read thoroughly through the postings for 10-20 jobs, you'll get a feel for what is required to get hired. If security certification is a must for most of them, and that is the only qualification you lack, then sounds like it'd be worth it. If they all say that 20 years of experience in the field is a must-have, then certification won't matter anyways.
As far as the GPA, you're fine because nobody puts that on their resume anyw
15 Year Old GPA is Useless! (Score:2)
As a hiring manager, when I look at resumes I am thinking, "if I hired this person today, what will they have done by the end of the week?" A 15 year old GPA is useless in this answer. The thing that matters most in resumes are technical skill and domain experience. Those two things will get an interview. The things that matter most in interviews are personality, hygiene, and are the things in your resume not complete bullshit.
I know smart PhDs from very good universities that I would never hire, becaus
A good patent is worth a lot. (Score:2)
If the patent is really good it can be worth over 10 times the graduation score you had over 10 years ago.
Add an up to date certification and a good CV and you may not have too much trouble getting a decent job unless you have a very disagreeable personality for a first impression.
I did graduate on a college level back in '87 and the last 15 years nobody have had any concerns about what I did graduate with. It's only people that graduates with titles like "Doctor" in a certain area that can ride on that for
It won't happen (Score:2)
No one will ask for your credentials, certifications, qualifications, or skill level of any kind. Outside of very large corporations, military, or government bodies, no one asks -- that's just not how business works. It's been 25 years of running my own business from scratch. Maybe when I'm dead, someone will check to see if I was certified to do anything at all. I'm not, by the way. But, like I said, small business, and even medium business operates on direct trust, which comes from reputation and ref
I'd go with Software Security (Score:1)
Teeny, tiny market (Score:2)
If you can't get your software running under Linux or commercial *nix offerings, you're dead before you started.
Re: (Score:2)
Re: (Score:3)
Never too old for college. Seriously I've shared a classroom with a few 50 year old's, with the oldest person being in his 70s.
That said, if you have a below 2.5 GPA...good lord, go get a new diploma and with a higher GPA. Only your most recent GPA counts. Getting a good GPA isn't hard, it just requires you to actually give a shit. Employers tend to not care so much for people who don't give a shit. When I was in high school, I think I had somewhere around a 2.0, but graduated college with a 4.0. Nobody any
Re: (Score:2)
it's risky to hire people because letting go of the lemons often comes with legal hurdles.
In the US, the legal hurdles aren't so much in the letting people go as in the making sure you don't violate the law while they're employed. I've seen so many employers blithely ignore technical (or sometimes more egregious) requirements for things like vacation rules, IC vs employee status, wage and hour rules, etc. that it's pretty obvious many are playing the odds that workers won't make a fuss.
The real risk of firing someone isn't that you'll fire them illegally; it's that now you've just taken away the
Re: (Score:2)
finds out that you made life a pain for your previous employer, well, he might find another reason to skip over that candidate
You can make life a pain for your previous employer after being hired by the next one, instead of before being hired by the next one. In other words.... be patient and bide your time, so long as you don't let any statute of limitations lapse.
Re: (Score:2)
That changes the situation from "not getting the job at all" to "getting fired as soon as your current employer finds out about your whistleblowing".
Perfectly legal to fire someone for any reason or no stated reason (outside of blatant protected-class discrimination, and even then, good luck proving it) in the USA.
People have been (legally) fired for smoking tobacco at home or having alcohol metabolites in their system from
Re: (Score:2)
Perfectly legal to fire someone for any reason or no stated reason
No. For any non-prohibited reason, and if no reason is stated, then the court will be happy to infer the most likely reason, when the employee presses a complaint.
Since it's illegal to fire an employee over exercise of their protected employee rights, this would never get past HR. It's illegal to fire an employee in retaliation over exercise of their legal rights in court against a previous employer.
Re: (Score:2)
Your comment proceeds from the assumption that the company gives a flip about what's illegal and what's not. It is illegal to retaliate against someone for exercising a protected right, but it's not illegal to fire someone for being 30 seconds late or for "no longer being a good fit for our corporate culture". (Said culture being that employees should do as they are told and shut up). Both are perfectly legal.
And even if what they do IS illegal, their lawyers can most likely beat up your lawyers.
Re: (Score:2)
it's not illegal to fire someone for being 30 seconds late or for "no longer being a good fit for our corporate culture"
No, however if they supply a bogus reason, that won't prevent the plaintiff from pursuing their claim, and the defendant will likely be called to "prove" they legitimately found them not a good fit for their corporate culture and the reason for doing so was a non-prohibited one, neither the employee nor the court has to (or is likely to) accept an employer's claimed reason at face valu
Re: (Score:2)
Clearly that wasn't meant to be taken literally. What I meant by that was that the chances of your ex-employer having access to better (read: more expensive) legal counsel than you are quite high. They'll run up your legal fees to the point of making you bankrupt and unable to pursue the matter further.
You're probably thinking that'd be more expensive than settling with the plaintiff. You're probably right. But it could be worth it to the employer in terms of employee relations. After all, you kill one
Re: (Score:2)
You're probably right. But it could be worth it to the employer in terms of employee relations.
It can be beneficial for your counsel, for things to turn out differently, in terms of employee relations ---- it will mean more $$$ for the attorney in the future from referrals and employees talking about it if things turn out in your favor, therefore, you might at least in theory be able to make a deal such as a contingency arrangement with the attorney representing yourself against the hostage taker to hel
Re: (Score:2)
You are proceeding from the assumption that it matters how good a case you have. The legal system is not about justice, it's about who has the best lawyers. And it's not just limited to legal costs; there would be PI harassment, character assassination, and other dirty tricks. I don't think you fully understand the depths to which some employers are prepared to descend in order to win cases like this, even if it ends up being a Pyrrhic victory.
And good luck getting ANY member of the bar to take on your c
Re: (Score:2)
Most lawsuits are settled, with non-disclosure agreements as part of the settlement. Only if it goes to court and gets publicity will the next employer be likely to find out.
Re: (Score:3)
The lawsuit itself is a matter of public record. The allegations and parties involved will be on the record. The final resolution of the suit is much less important than the fact that it was filed in the first place. Filing the suit means that you are capable of questioning the wisdom of your ruling-class masters, and therefore are not to be trusted.
Re: (Score:2)
Starting your own company requires knowing a lot more "whos" then ladder-climbing. It's called marketing, getting a bank loan, etc. Either way you're working your ass off to get somebody to like you.
It's just that if you're the kind of person who would start your own business it feels less like ass-kissing (despite the fact that all good salesman are kissing everyone's ass 40 hours a week) and more like doing your job.
Re:Too old (Score:4, Insightful)
Do any employers actually care what someone's GPA was in college? I don't think I've ever put that information on my resumé, and I've never had any prospective employer ask. Never. Yes, for a new college grad, it might be relevant, but for everybody else, going back to college would probably be a waste of your time.
IMO, you'd be much better off taking classes in a particular specialization that will be relevant to your future career as the original poster suggested, rather than wasting four years just to prove that you are capable of getting higher grades in a pile of non-major classes whose subjects mostly won't provide any real benefit in your future career.
Re: (Score:1)
Ditto, coming from someone who started my IT career when the submitter started elementary school.
As for Security+ certification, I have turned down many a contracts as an application developer with the DoD because the job description called for one where it had no relevance to the actual position. Just a check box on the job posting.
So the question you have to answer I think would be "Will the certification help or hinder your endeavor?". My opinion is that for a programmer, no (unless the application bei
Re: (Score:2)
Re: (Score:2)
There's a difference between developing an application with best-practice security in mind, and being an infosec worker. Security+ is great but it's overkill for most app developers.
Re: (Score:2)
From what I can see of others' responses, if you don't have ad blocking enabled you see a random ad. The submission doesn't make sense because it's SPAM.
I hate these crappy anonymous submissions with their ulterior motives.