• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

What is security expert and how to be?

 
clojure forum advocate
Posts: 3479
Mac Objective C Clojure
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi,
Two days ago I read that Apple hired a security expert that works at NSA to join Apple's security team.
This leads to this?
What is security expert? his daily job?
And more importantly, how to become a security expert?
I noted that IT industry is treating the subject of teaching security as a Pandora's Box and every one is starting to whistle if you asked him about it.
Thanks.
 
Ranch Hand
Posts: 433
Netbeans IDE
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Security is a very broad field.
A security expert is someone who deals with security. (What a surprise!) Those people have a tendency to look at things differently, searching for weakpoints and how something could be broken.
How do you become a security expert? The same way you're becoming an expert in any other field. Take programming as an example. You can teach someone the basics of a programming language. Is he becoming through this an expert? No, by no way! There are so many things involved, like processes (e.g Scrum, XP), tools (IDE, Bugtracker, etc.), Design Patterns, the right choice of the language and so. Briefly: spotting a problem, categorize it and have the right tool for it in your toolbox. (Remeber the phrase: "If the only tool you have is a hammer, you will see every problem as a nail"?!) You don't need to be a master of every tool that you are having in your toolbox but you should know when and how to use it and being able to dive deeper into the topic when it's needed. You need a lot of experience and creativity. Both things which can't be teached. It's like teaching "to become an inventor".

Back to security: in the IT there are different kinds of security experts. Some focus on web application (e.g. finding sql-injections, XSS, CSRF, session hijacking, etc.), some on jailbreaking (google for GeoHot, e.g.), some on infrastructure (e.g. defending a server against hackers) and so on. There are no clear boundaries.

I hope this clears a bit things up.

[edit]
If you are interested in this topic maybe you should read Know your enemy
 
Hussein Baghdadi
clojure forum advocate
Posts: 3479
Mac Objective C Clojure
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for the post.
One comment regarding teaching programming:
Processes (Scrum, Lean ..) and tools (IDE, bugtrackers ..) aren't part of teaching programming.
You can be a super star programmer without all of those.
End of comment
Back to the subject:
Do you see what I mean?
XSS, CSRF, Jailbreaking and defending servers.
How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?
I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

John Todd wrote:How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?
I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.


Start by reading what others have written:

https://coderanch.com/t/483806/Book-Reviews/Secrets-Lies-Digital-Security-Networked (an awesome book, IMO)

https://coderanch.com/t/93884/Book-Reviews/Ajax-Security-Billy-Hoffman-Bryan (specifically about web systems)

Lost of interesting pointers are in the SecurityFaq.
 
Joachim Rohde
Ranch Hand
Posts: 433
Netbeans IDE
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

John Todd wrote:
One comment regarding teaching programming:
Processes (Scrum, Lean ..) and tools (IDE, bugtrackers ..) aren't part of teaching programming.
You can be a super star programmer without all of those.



Yes and no. You are right: processes and tools are not part of teaching programming. But you can't isolate programming for all the rest what a software developer is using on a daily basis. No programmer will start refactoring a huge codebase if he is using plain Notepad. You WILL need an IDE for that. You could start arguing that refactoring also does not belong to "programming" because in an idealized world you would get it done right the first time. Reality looks a bit differently.
Beside that, all people I have met, who are superior in there field are out-of-the-box-thinkers and not only focused on one thing. So I really have my doubts that "You can be a super star programmer without all of those."


John Todd wrote:How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?


Start asking yourself: how would you try to break it? Start reading about possible attacks. The basic concepts are usually well-documented and you don't have to browse around the dark corners of the internet. SQL Injections are for example quite well explained in the wikipedia. OWASP has a list of the top 10 web application security risks with explanation and examples. Subscribe to a topic-related mailinglist. Buy some books which are dealing with the topic (one was mentioned in my last reply). Same principle as learning building software: take baby-steps, read on topics which might interest you / which others point you too and the longer you are dealing with this topic the more you get the big picture.
You don't have to become an uber-hacker to defend your software, you just need to know where you have to take care. If you are inserting user-input without escaping the input into your database, you will get some problems with SQL injections. Only thing you need to know: escape user input. No need to know how *exactly* fancy SQL injections are working. And again: there are also books about writing secure code (e.g. this one)

John Todd wrote:I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.


As I already said: there are tons of resources. So I'm not sure what exactly you are looking for.
 
Owasp member
Posts: 8
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

John Todd wrote:Thanks for the post.
One comment regarding teaching programming:
Processes (Scrum, Lean ..) and tools (IDE, bugtrackers ..) aren't part of teaching programming.
You can be a super star programmer without all of those.
End of comment
Back to the subject:
Do you see what I mean?
XSS, CSRF, Jailbreaking and defending servers.
How I'm supposed to defend my software/hardware if I don't know how to attack it in the first place?
I may be wrong but no one will teach you to perform attacks and eventually becoming a security expert.



One of the things that OWASP tries to emphasize is positive security and constructive security - in other words, we try to highlight practical solutions instead of focusing on discovering new attacks. As you mentioned, there is no shortage of attack techniques and even the best security experts would be hard pressed to know all possible attack vectors.

From a developers perspective though, if they can follow a core set of security principles, they can help close the security gap. For example, both XSS and SQLi are forms of injection attacks. For the most part, injection attacks can be prevented with a good combination of input validation and output encoding. These two defensive strategies apply to any piece of code and following through with these strategies moves an application's security posture forward by leaps and bounds.

The OWASP Development Guide and the OWASP Top 10 Project provide some good resources to acquire some of this knowledge.

-Jason
OWASP Global Projects Committee Chair
 
Ranch Hand
Posts: 8945
Firefox Browser Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I haven't seen company management encourage people to become security expery. My previous company was trying hard to get a security expert since months, I have heard that it is still looking for one.
 
Whoever got anywhere by being normal? Just ask this exceptional tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic