Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Programming Security

Ask Slashdot: Security Certification For an Old Grad? 125

An anonymous reader writes: I graduated in late 2003 during the tech bubble burst with a below 2.5 GPA. I am 35 with an interest in getting a security job. What are the chances that I would be just wasting my time and money? I am pursuing business interests with a patent used in a service that will be a prime target for hackers. I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment?
Have a question for Slashdot's readers? Take a look at other recent questions first to see if someone else has had a similar question. And if not, ask away! The more details and context you include, the more likely your question will be selected.
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Security Certification For an Old Grad?

Comments Filter:
  • by phantomfive ( 622387 ) on Wednesday May 13, 2015 @08:04PM (#49686187) Journal
    If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc).
    If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.
    • Which by the way, the beginning certifications I would look at as a sysadmin would be: (in order of marketability)

      CCNA
      MCSA (get the 2008 version; the 2012 version is a lot harder and isn't any more valuable, mainly because nobody actually uses Windows Server 2012)
      RHCSA

      CCNA Security is a good overall certification to have if you want to begin in IT security, and IMO is more valuable than Security+ because not only does it cover all of the same material, but gives you a good background in network security on

      • MCSA (get the 2008 version; the 2012 version is a lot harder and isn't any more valuable, mainly because nobody actually uses Windows Server 2012)

        I work in government, which is usually the last to get any new software. Basically everyone is on 2012 now.

      • by mysidia ( 191772 )

        Given that the network is the single most important component of any IT infrastructure, I'd say it's a winner.

        No..... CCNA would be for a technical implementation expert, who could help support the technical work of implementing the security team's policies, not a security expert. Everything in IT is about the applications.

        The network is just one of the many core resources supporting applications, and all core resources must be there for applications to work; the network is no more important than the

        • No..... CCNA would be for a technical implementation expert, who could help support the technical work of implementing the security team's policies, not a security expert.

          CCNA Security is not the same thing as CCNA. And the curriculum (at least when I did it back in 2012) required an understanding of the usual concepts of social engineering, cryptography (i.e. symmetric vs assymetric, hashing, etc.)

          In fact the NSA and CNSS both recognize having a CCNA Security certification as enough to be CNSS 4011 certified, which is a VERY good credential for anybody who wants to work in IT security.

          http://www.cisco.com/web/learn... [cisco.com]
          http://www.villanovau.com/reso... [villanovau.com]

      • ...nobody actually uses Windows Server 2012

        And yet this is currently modded Score:3. Unreal.

    • by BVis ( 267028 )

      If you're going to get past the drones in HR, the more certifications you have, the better the chance that your resume will land in front of someone who has actual skills instead of the C-student debris in HR.

      The easier it is to set DUMMY_MODE="On" on HR, the better your chances of getting through their completely non-arbitrary and totally relevant filters.

    • If you're going to be a sysadmin, getting a certification can be well worth it (depending on the company, the certification, your position, etc). If you're a programmer, getting a certification is a waste of time unless you learn something in the process. In that case, the certification will still be worthless but the knowledge you gained will be worth something.

      Be careful here. A cert's worth is not defined simply by the lessons that come with it. It is also pixie dust or glitter that you use in your resume.

      I'm not joking. During the last recession, I became unemployed (just 7 days before my first child was born). I had the skills, and references, but I could not make any progress in getting interviews with my resume. Then it dawned on me to call one of the recruiters I was using and asked her if I could see the resumes of the people her firm has placed in jobs

      • That's a good point, now that you mention it, I know another anecdote where someone who increased her salary by getting the Java architect cert. I had forgotten about that.
  • Forget the GPA (Score:5, Insightful)

    by Sowelu ( 713889 ) on Wednesday May 13, 2015 @08:08PM (#49686207)

    All it says is how hard you leaned on the grindstone fifteen years ago. Totally useless as a predictor by the time you're four years out of university (some would say much earlier). You got the degree, you've been exposing yourself to technologies, you're staying more current than some (not very good) currently-employed programmers and security guys. Put that GPA out of your mind entirely.

    • I second this. In fact, I'd not expect somebody with 15 years experience to list their GPA in their resume. I rarely see GPA on resume except for interns and first-job applicants. Relevant real-world experience is best. Security certs might be worthwhile I don't know. Never looked into them. Relevant certs won't hurt. I'd steer clear of any for-profit IT type college for the usual reasons.
      • And certainly, if the GPA is only 2.5 then don't list it. Leaving it off lets others assume it is higher.

  • List the patent # (Score:4, Informative)

    by DraconPern ( 521756 ) <draconpern AT hotmail DOT com> on Wednesday May 13, 2015 @08:08PM (#49686209) Homepage
    Tell them the patent number, that'll be more credible than just saying you have one. There's a 10+ year job history gap there? Certificate wise start with Network+, cissp.
    • Re: (Score:2, Informative)

      by Anonymous Coward

      No. Network+ is worthless. Ever plugged in an rj-45 and typed in a dotted decimal notation address? That is what a Net+ is worth. CISSP is good. CISA is well thought of. If you don't have the chops start with a Sec+. CCNA at minimum if you want to be considered knowledgeable in entry-level networking.

      If you intend to do development/programming. Skip the certs completely. You won't need the in-depth, polished encyclopedic (but not often practical) knowledge. Dev houses don't know what many certs entail anywa

    • Dice data mining (Score:5, Interesting)

      by bangular ( 736791 ) on Wednesday May 13, 2015 @08:54PM (#49686433)
      I have no doubt the submitter is serious, but I think the reality is Dice is just data mining with this post. They want to hear feedback to make money on their main product. There were far fewer of these "I have X skills and need a job" posts pre-dice purchase.
  • by Anonymous Coward

    The submission was unintelligible. It makes zero sense. Who is approving these articles?

    • Lol, so I'm not the only one unable to understand that string of run-on sentence fragments.

      Dear old dude,
      If no one will hire you, it's not because of your age. It's because no one can understand you.

    • The submission was unintelligible. It makes zero sense. Who is approving these articles?

      Indeed. I was wondering for just a moment if I had time-warped back to April 1.

    • The submission was unintelligible. It makes zero sense. Who is approving these articles?

      Now, let's be nice - maybe it's just someone who's trying to help out his fellow 2.5 GPA'er. Those folks are quite sociable, ya know.

  • My suggestion is stop believing this crap "Old Grad", you're hardly old, and you're just as able as anyone to pursue this.

    • by erice ( 13380 )

      My suggestion is stop believing this crap "Old Grad", you're hardly old, and you're just as able as anyone to pursue this.

      I doubt the OP is concerned about being unable. The concern is convincing a prospective employer. 'Been there, done that.

      I graduated in 1990. After nearly 7 years of high effort, I finally landed my first engineering job in 1997. What I found is that, even well into the DotCom boom,it was very difficult to get traction. Customers understood experienced engineers. While the demand was less, they knew what to do with fresh grads too. They did not know what to do with or even want to spend the time on an

      • by koan ( 80826 )

        Go into business for yourself, and today it's even easier with these funding websites.

        Frankly the paragraph I read sounds like he had already given up, the "propaganda of youth" stifles all.

  • You look to become a business partner, not an employee.

    • You're kidding, right? About half the people I work with have at least 1 patent. Every large company brags about how many patents they have and every patent has a couple people listed as inventors. While patent numbers and titles should be on your resume, they don't differentiate you from anyone who worked at a company large enough to employ a team of lawyers whose job is to search for patentable work.
      • by Khyber ( 864651 )

        No, I'm not kidding. You get with other people that have patents, you start your own business.

        Worked just fine for me and others. Find a market.

        • by BVis ( 267028 )

          Unless, as is usually the case, your employer holds the patent, not you. You can't leave and keep using the patent without licensing it from your ex-employer, and good luck getting them to agree to that. I mean you just left the ranks of their wage slaves, your insolence must be punished.

  • What would *I* do? Learn to write coherent sentences.
  • by Anonymous Coward

    If you do not have on the job experience, training means nothing. Unless the school you go to has an AWESOME placement program (yeah, right), it is a waste of time and money to go for classes or certs.

    See, in this job market, you are your last job. You could have 10 years of experience and you take a job flipping burgers because your company laid off everyone in '09 - including the entire development department and offshored it - you will find that you no longer have "the skills" to do the job you did for

  • by Anonymous Coward

    Malls are always hiring.

  • by turkeydance ( 1266624 ) on Wednesday May 13, 2015 @09:16PM (#49686505)
    i would claim H1B status.
  • GPA (Score:4, Informative)

    by Chris Katko ( 2923353 ) on Wednesday May 13, 2015 @09:33PM (#49686555)
    If your GPA is less than a 3, simply don't mention it. It doesn't matter. You're old enough to have experience now, so nobody is worried about your GPA.
    • ^^This is the truth^^

    • As a 52 year old in the tech world, I vouch for the accuracy of this statement. GPA means nothing after a few years of experience. I just changed jobs 2 year ago (only took 3 months to find a new position once deciding to change companies). So... in my case... a high GPA would prove I have mastery of what? a PDP 11? ya. right. GPA hasn't been a topic in 20+ years. Interviews have been discussions about processes, my levels of understanding of current technology specifically related to the job on
  • Does any employer really care about how low your undergraduate GPA was twelve years ago? If you passed and got experience somewhere for a few years a low GPA doesn't even get in the way of applying for postgrad study in a lot of places.
  • the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried. I figure that trying to sell the service idea, even if I can't get a job, when they ask what qualifies me to have such ideas, I can say I have the credentials. I just got issued the patent this year. What would you do in this situation to be a viable candidate for employment?

    Take some English classes.

  • by Holladon ( 1620389 ) on Wednesday May 13, 2015 @10:22PM (#49686775)

    I don't understand why the question is framed as one of employment. If the patent is valuable, the submitter should be hiring security specialists, not trying to become one from scratch. If the patent isn't valuable, then it has zero relevance to the job search unless the only reason it lacks value is because the submitter is crap at business. And if that's the case, why isn't the submitter trying to sell the patent for quick buck and use that to fund this interest in security credentials? I'm just having trouble reconciling the whole "I'm pursuing business interests with a security-related patent I own" with "I want to be someone else's hired gun for security work." Perhaps the problem is that the submitter is being disingenuous about the level of involvement in business discussions related to this patent - regardless, the first thing I would work on is creating a narrative that will make an ounce of sense to employers, because this one doesn't.

    Also, I'm around the same age as submitter and haven't talked about my GPA in forever. Why are we talking about GPAs at all?? No one cares about your GPA 12 years ago. Seriously, no one. Far more worrying is the implication that a 12-year-old GPA is the most relevant thing you can talk to a potential employer about.

  • by hlee ( 518174 ) on Wednesday May 13, 2015 @10:32PM (#49686813)

    Good courses and certifications are offered by the SANS Institute (http://www.sans.org/). Black Hat organizes one of the premier security conferences, and also hosts many interesting courses (https://www.blackhat.com/). Certifications and courses provide a great way to start learning about security along with some really esoteric specialties, but if you think a certificate is suddenly going to make your software secure, you'd be sadly mistaken. To be effective in computer security, you need to constantly learn and keep up with recent developments. If I were hiring a candidate I wouldn't care about certifications as much as the effort and interest the individual exercises in the extremely broad field - some humility wouldn't hurt either.

    The mindset of software developer working on secure or hardened software is also a little different - normally good developers focus on aspects such as clean design, extensible architecture, performance, and efficiency, but few tend to be aware of the things hackers do to exploit your code because you didn't do proper input validation, or ensure that you were protected against buffer overflows from maliciously crafted payloads.

    More good resources for software developers:
    - CERT coding standards (https://www.securecoding.cert.org/confluence/display/seccode/CERT+Coding+Standards)
    - OWASP (https://www.owasp.org) if you're doing anything related to the internet

    There's a lot to learn, which is why courses can be useful to get you started. Here are some of the things you would learn:

    Security occurs at many levels. Your software is the obvious focus. Also, the application or web servers they're hosted on if any, as well as the O/S. Your software might be pretty secure, but if you do not setup your web server properly you could get screwed as well. Given the pervasive nature of SSL/TLS, you should also be aware of security vulnerabilities in openssl (if your software or servers make use of - most likely they do) and be able to understand the description and lingo used to describe the vulnerabilities. This is the more IT or sys admin oriented aspect of security. Some familiarity in this area is good.

    Layered security design. Develop multiple security layers to protect your critical data. Do not rely on SSL/TLS only. Learn about public key infrastructure (asymmetric encryption algorithms), and their role with symmetric encryption algorithms like AES.

    Understand what threat modeling and analysis is about. Familiarity with assurance case modeling is also interesting where you start to see the boundary between reliability and security become increasing blurry.

    Do not invent your own protocols/algorithms if you can find one that already exists, especially if it has a threat analysis to accompany it. Some courses go over some of the better known protocols for things like authentication or authorization, and how to deploy them correctly.

  • Start by looking for and applying for jobs that you think fit you, and once you've read thoroughly through the postings for 10-20 jobs, you'll get a feel for what is required to get hired. If security certification is a must for most of them, and that is the only qualification you lack, then sounds like it'd be worth it. If they all say that 20 years of experience in the field is a must-have, then certification won't matter anyways.

    As far as the GPA, you're fine because nobody puts that on their resume anyw

  • As a hiring manager, when I look at resumes I am thinking, "if I hired this person today, what will they have done by the end of the week?" A 15 year old GPA is useless in this answer. The thing that matters most in resumes are technical skill and domain experience. Those two things will get an interview. The things that matter most in interviews are personality, hygiene, and are the things in your resume not complete bullshit.

    I know smart PhDs from very good universities that I would never hire, becaus

  • If the patent is really good it can be worth over 10 times the graduation score you had over 10 years ago.

    Add an up to date certification and a good CV and you may not have too much trouble getting a decent job unless you have a very disagreeable personality for a first impression.

    I did graduate on a college level back in '87 and the last 15 years nobody have had any concerns about what I did graduate with. It's only people that graduates with titles like "Doctor" in a certain area that can ride on that for

  • No one will ask for your credentials, certifications, qualifications, or skill level of any kind. Outside of very large corporations, military, or government bodies, no one asks -- that's just not how business works. It's been 25 years of running my own business from scratch. Maybe when I'm dead, someone will check to see if I was certified to do anything at all. I'm not, by the way. But, like I said, small business, and even medium business operates on direct trust, which comes from reputation and ref

  • I don't know why everyone is pointing to more technical certs when you already have a software skill set. So, what you need to do is find a related security field so that you aren't killing yourself to stay abreast let alone learn a new skill. If you want a relevant cert, look at CSSLP. Then, you'll need to network, network, network. You'll have a hard time transitioning your career without knowing someone unless the person who is hiring you is not the person to be working for.
  • I have been writing client/server software in an OpenBSD virtual machine for the security and the kqueue functionality; not to mention the rest of the virtual clients crash that I have tried.

    If you can't get your software running under Linux or commercial *nix offerings, you're dead before you started.

Exceptions prove the rule, and wreck the budget. -- Miller

Working...