Friday, November 17


I thought I would post a reply I made to A poster wanted to know how he, a programmer, could go about getting into security.

Link to my post at
Registration required, I know. Dumb.


Use your background as a web programmer to boost your chance to get into infosec. Start looking into application security, something like owasp. I would also recommend you also shore up any weakness in networking or systems administration.

Pass. Pass on the hype. As far as certs, pass on the CISSP - that is a management cert. You are not ready for it anyway. The CISSP is a management-centered cert for people with 4 years direct, full time security experience. I recognize this cert blows the doors off the HR dept door. I am not addressing this amazingly confusing fact in this post.

Read. Read blogs, read books, just read. Make best efforts to learn while reading.

Here are some of my favorites

*Protect Your Windows Network

*The TAO of Network Security Monitoring

*Inside Network Perimeter Security

*Malware: Fighting Malicious Code

*Counter Hack Reloaded

Volunteer. Find a church, school, a not for profit, or a networked dumpster that might let you help. Maybe they need some help rolling out a new AV solution, maybe they do not have one, and maybe their only server sits under a sprinkler head – who knows. Who cares?!? You do! Help them, make something better, and build your experience.

Build a lab. Learn VMware. Understand the value of a good lab. Get access to some networking equipment. Do not forget to download your favorite ISO files from the newest *.nix distro. Download / Burn / Install or if using VMware, download the distro, mount it under “use ISO Image” and boot away. Simple.

Team Up. Find someone who will have nerd-night with you. Nerd night is your officially allocated learning time, with someone who has similar interests. Build that VM server, test running IE as an unprivileged account using psexec and visit a bunch a bad sites and scan for malware …. This is something I will be testing soon, for no real reason.

Get your degree. If you do not have your BS, go get it. View the "centers of academic excellence" of the NSA. Google on it. I am working on my masters in information assurance / network security at Capitol College.

Meet people. Want to learn more and meet others in the industry? Search for local 2600 or ISSA groups. If nothing is available or if those groups do not meet your needs, start your own group. I started IndySec ->

Do not quit. I put a lot of time, money, and effort to get my position in Infosec. I failed several times to land a position in Infosec. I could have quit and not swallowed my pride to try again, but then I would not have a rewarding career.

Who am I? I am a simple person that works hard.
I understand I have a lot to learn. I am also somewhat of a newbie to Infosec.

Know your goals, do your best, when unsure – ask someone who knows, and never quit.


Didier Stevens said...

Excellent list, I would just add Podcasts.

I listen to several IT security podcasts:
- The Silver Bullet Security Podcast
- CyberSpeak Podcast
- PaulDotCom Security Weekly
- SploitCast
- A Day in the Life of an Information Security Investigator
- Security Now!
- Binary Revolution Radio

It's still interesting to read the ISC2's Common Body of Knowledge for the CISSP exam, because it covers so many aspects of IT security (albeit from a high level).

Stephen R. Moore said...

Ahh yes! Thank you Didier for the feedback. I think I will do another podcast based post (based on your provided links).

I do agree the CISSP Common Body of Knowledge is very valuable. My grad program is somewhat framed around those ten domains. We thankfully have the opportunity and flexibility to dive into the more tactical items for our labs, as opposed to just the higher level themes.

Anonymous said...

Why did you decide to attend Capitol College vs the other schools out there that are also online and NSA certified?


Stephen R. Moore said...

Sorry, I did not see your question. I had notifications off.

Why Capitol? They are online, but have LIVE lectures, their professors are top notch, the classes are more "applied" in nature - and most are technical / hands on, their text books are great (I owned some of them already), their support staff is very responsive, they are affordable, and the NSA thinks highly of them.

I did have one bad professor out of the 12 classes.

They were the best fit for Stephen Moore. There are more prestigious schools out there, however.

alt.don said...

Actually registration is required on because we get so many fscking spammers, lamerz and other assorted losers there. Requiring registration is a simple and effective way to at least cut back on some of the bottom feeders. That would be why we require registration.


Stephen R. Moore said...

Understood. I should have phrased my information a little differently.