- 7,879
- 507
Don't sell yourself short, "bullshit IT work" is core to security
- 1
- 1
IT/Software career thread: Invert binary trees for dollars.
- Thread starter Traak
- Start date
-
Guest, it's time once again for the massively important and exciting FoH Asshat Tournament!
Go here and give us your nominations!Who's been the biggest Asshat in the last year? Give us your worst ones!
chaos
Buzzfeed Editor
- 17,324
- 4,839
I did bullshit IT work for years, leveraged that into engineering work, vuln mgmt, and currently doing red team stuff. Most important thing about security work, don't take no for an answer, have to know how shit works before you can break it, defend it, detect it, etc.
There really is no traditional track into security. Tbh, I find it weird that people are coming right out of college and going into red teaming. I work with a guy like that, and he is a motherfucking genius, you'll all know his name within 10 years for sure. But yeah, smart as he is, tons of basic IT process shit he just doesn't know. Or just how to talk to admins etc, a huge part of security work is communication, making people understand that we're on the same team. You probably have a lot more value than you think. It's easy to fall into impostor syndrome and compare yourself to dudes out there hacking the gibson, but even those guys have issues.
Circling back to certs, CEH was mentioned, that shit is bunk. It's super expensive, EC-Council is fucking garbage, and it isn't respected at all. It's good for HR sometimes. That isn't to say you shouldn't get it, get what the job needs. But just know what it is beforehand. IMO, the money it would take could be better spent on something else, but hey, gotta get past HR.
There really is no traditional track into security. Tbh, I find it weird that people are coming right out of college and going into red teaming. I work with a guy like that, and he is a motherfucking genius, you'll all know his name within 10 years for sure. But yeah, smart as he is, tons of basic IT process shit he just doesn't know. Or just how to talk to admins etc, a huge part of security work is communication, making people understand that we're on the same team. You probably have a lot more value than you think. It's easy to fall into impostor syndrome and compare yourself to dudes out there hacking the gibson, but even those guys have issues.
Circling back to certs, CEH was mentioned, that shit is bunk. It's super expensive, EC-Council is fucking garbage, and it isn't respected at all. It's good for HR sometimes. That isn't to say you shouldn't get it, get what the job needs. But just know what it is beforehand. IMO, the money it would take could be better spent on something else, but hey, gotta get past HR.
Last edited:
TJT
Mr. Poopybutthole
- 42,812
- 109,292
I always thought security work would be unbelievably boring unless you were at the top tier of it doing red team/security research like the guys on darkreading/blackhat do. The latter of which requiring you to be super smart with lots of experience in the nitty gritty of frameworks and programming languages.
99% of the security people I knew did shit like using tools to scan your code/app/whatever reading the output and telling you if you were in compliance or not. Fuck that shit.
99% of the security people I knew did shit like using tools to scan your code/app/whatever reading the output and telling you if you were in compliance or not. Fuck that shit.
chaos
Buzzfeed Editor
- 17,324
- 4,839
idk, entry level shit is always going to be tool driven. Overall, security work is about reworking processes to protect shit. That isn't always hackerman shit. Most red team shit isn't that, almost all of it in fact, because that isn't what adversaries are doing. They're just sending phishing emails and using shitty AD permissions to jack all your IP, or using IoT devices to DoS your customers, etc.
Once you get past that initial level though, there is a lot of room to play and be creative without being on that bleeding edge. Tons of webapp pentesters out there ripping through shit, and god knows there's a billion shitty apps out there. On the defensive side there's a lot too, detection is more art than science even after all this time. I'll never be one of those guys who shits out 0-days or whatever, I'm ok with that, there's so much room, and soooooooo much fucked up stuff out there.
- 3
The_Black_Log Foler
PalsCo CEO - Stock Pals | Pantheon Pals
- 47,908
- 43,067
Been avoiding this thread like the plague. Took a break from the career hunt. Jumping back into the game.
Trying out Harvard's extension school for kicks, their MA in software engineering. Liking it a lot surprisingly - content is very job applicable and covering some places I was lacking. May eventually try GT's MS in CS but all this assumes low progress on the job front.
Still dicking around with Java, spring and kotlin. JVM 4 lyfe.
Trying out Harvard's extension school for kicks, their MA in software engineering. Liking it a lot surprisingly - content is very job applicable and covering some places I was lacking. May eventually try GT's MS in CS but all this assumes low progress on the job front.
Still dicking around with Java, spring and kotlin. JVM 4 lyfe.
TJT
Mr. Poopybutthole
- 42,812
- 109,292
chaos
I would argue that it is just that most people don't ever move beyond that and spend their entire career in IT Security running tool based analysis and being glorified sys admins. Most of the guys I met were mid or late career doing that. So I was never really convinced that security would be remotely interesting outside of the highest tier of it where you read about cool shit or see cool shit like the patches the blackhat group makes. How to abuse fuzzy logic and all that. I mean I get that phishing and social engineering are primary security threats and all but still.
Now on to MY bitching for today. Now that I am on the other side of the hiring table Jesus fuck is it hard to find people with even mediocre skills for various technical positions. I've been through like 15 candidates who made it to the in office interview and every single one of them totally bombed it with almost no redeeming qualities despite passing the online tests we gave them. I've a newfound respect talent acquisition but online coding tests are still dumb. Because these fools passed those just fine but failed when given a use case to do something and what they would do to approach it. Like they couldn't even provide dumb ideas, just tried to BS through them.
I even referred one person I knew from my old job who aced the interviews (I didn't have to help at all) signed up then bailed today when he was supposed to start Monday for a better offer. Better in the sense that it would have him move to his homestate which is what his wife has been bitching about for years but an overall worse job when it comes to IT. Fuuuuuuck.
chaos
Buzzfeed Editor
- 17,324
- 4,839
I think that's a problem across all IT, maybe even other industries. People get complacent, you have to have drive to move beyond the more basic stuff. Security is weird where there's a huge employment gap, so it seems like anyone can get hired on, there's room for those low ambition types to exist, even thrive. The govt sector was awful with this.
Hiring for devs always seems weird to me, probably because I'm not a dev. I wouldn't do well in any of those "whiteboard the algorithm while we watch" type tests.
Hiring for devs always seems weird to me, probably because I'm not a dev. I wouldn't do well in any of those "whiteboard the algorithm while we watch" type tests.
- 1
TJT
Mr. Poopybutthole
- 42,812
- 109,292
I generally don't give them that kind of test. The recruiting process we use does by force give them some hackerrank garbage we know so well. Which is just some bullshit we pay for too. We have minimal control over the questions the tests give which was insane to me. I just give them some current use cases we are working on and deep dive how they might resolve it and why. No whiteboarding required, but they are free to if they want to demonstrate a point. They just tried to bullshit their way through it and it was unbelievably obvious.
To be clear, I am totally cool with them providing dumb ideas as they haven't had any time to really look at the use case and what it surrounds and if they have a detailed enough first pass at it for why they would use this or that I am generally cool with it. They did not get that far though.
Vinen
God is dead
- 2,790
- 495
chaos
Buzzfeed Editor
- 17,324
- 4,839
My experience was that it depends on the position, but they just hire whoever they can get for the most part. Like, the last real team I was on in the govt, they had absurd reqs (college degree, clearance, military background, multiple certs, technical interview, travel, specific experience requirements for multiple security-related fields, and more) but they only really wanted to pay about 75% of market value, maybe less. And then they wanted to nickle and dime us over travels stuff, requiring overtime on travel but only paying out 80% pay for it, unable to get hardware. It was nuts, all the problems and hurdles. And then we're trying to hire new people for this, and it's just impossible, so we end up just taking anyone who meets the hard cert requirements and is willing to deal with the bs. They work there for long enough to get the experience to justify a move and then head out.
moonarchia
The Scientific Shitlord
- 23,706
- 43,204
Just say you're bi, but have a stable long term monogamous partner.
- 2
alavaz
Trakanon Raider
- 2,003
- 714
I'm up to 130k/yr now with GD. Bonuses still suck big time, but they beat the offer Red Hat made me salary wise. They are even reducing the cost of health care next year and matching an extra percent on our 401k. We'll be up to 4.5% match (on the first 6%) which is very good in defense and seems competitive with high tech industry as well.
Factor in 2-4 months hazard pay I get each year for going to a middle eastern shit hole - which is 6-10k more per month depending on OT hours - and I'm doing quite all right in the often shat upon defense industry.
Factor in 2-4 months hazard pay I get each year for going to a middle eastern shit hole - which is 6-10k more per month depending on OT hours - and I'm doing quite all right in the often shat upon defense industry.
- 1
Vinen
God is dead
- 2,790
- 495
If you were in a Traditional Software job based on out the bay area (even located on the East Coast) you'd make twice as much. The only shit hole you'd potentially have to visit is San Fransico.
