Posts Tagged: CISSP

May 14

White-Hat Hacker Schools Security Pro School

If you’re taking an exam to test your skills as an Internet security professional, do you get extra credit for schooling the organization that hosts the test? If that organization is the International Information Systems Security Certification Consortium (ISC)² — the non-profit that administers the Certified Information Systems Security Professional (CISSP) exam — the answer is “no,” but you might get a nice ‘thank you’ from the head of the organization.


Last month, I heard from Alex Holden, a security consultant who is quite gifted at quickly identifying security holes in Internet-facing things. Holden was visiting the site to pay his annual CISSP membership dues, and was getting ready to fork over the $85 annual fee when he noticed a glaring weakness in the organization’s checkout page: The URL listed all of his registration information in plaintext.

The site hadn’t yet requested his credit card, but Holden found that he could skip the payment process merely by changing the $85 amount in the URL produced by the checkout page to a negative number. Clicking submit after that change was made produced an email congratulating him on his successful renewal. Continue reading →

Jul 12

How to Break Into Security, Grossman Edition

I recently began publishing a series of advice columns for people who are interested in learning more about security as a craft or profession. For the third installment in this series, I interviewed Jeremiah Grossman, chief technology officer of WhiteHat Security, a Web application security firm.

A frequent speaker on a broad range of security topics, Grossman stressed the importance of coding, networking, and getting your hands dirty (in a clean way, of course).

BK: How did you get started in computer security?

Grossman: For me it was…I could hack stuff and I did it in my spare time and someone offered me a job — which was Yahoo. But before that, I was just a UNIX admin. I was thinking about this question a lot, and what occurred to me is that I don’t know too many people in infosec who chose infosec as a career. Most of the people who I know in this field didn’t go to college to be infosec pros, it just kind of happened. They followed opportunity.

BK: You might have seen that the last two experts I asked had somewhat different opinions on this question, but how important is it that someone interested in this field know how to code?

Grossman: It’s tough to give solid advice without knowing more about a person. For instance, are they interested in network security or application security? You can get by in IDS and firewall world and system patching without knowing any code; it’s fairly automated stuff from the product side. But with application security, it is absolutely mandatory that you know how to code and that you know software. So with Cisco gear, it’s much different from the work you do with Adobe software security. Infosec is a really big space, and you’re going to have to pick your niche, because no one is going to be able to bridge those gaps, at least effectively.

BK: So would you say hands-on experience is more important that formal security education and certifications?

Grossman: The question is are people being hired into entry level security positions straight out of school? I think somewhat, but that’s probably still pretty rare. There’s hardly anyone coming out of school with just computer security degrees. There are some, but we’re probably talking in the hundreds. I think the universities are just now within the last 3-5 years getting masters in computer security sciences off the ground. But there are not a lot of students in them.

BK:  What do you think is the most important qualification to be successful in the security space, regardless of a person’s background and experience level?

Grossman: The ones who can code almost always [fare] better. Infosec is about scalability, and application security is about scalability. And if you can understand code, you have a better likelihood of being able to understand how to scale your solution. On the defense side, we’re out-manned and outgunned constantly. It’s “us” versus “them,” and I don’t know how many of “them,” there are, but there’s going to be too few of “us “at all times.  So whatever your solution is or design criteria, you’re going to have to scale it. For instance, you can imagine Facebook…I’m not sure many security people they have, but…it’s going to be a tiny fraction of a percent of their user base, so they’re going to have to figure out how to scale their solutions so they can protect all those users.

Continue reading →