Re: Can Dave be cloned?

[robert () dyadsecurity com]

Kevin Ponds(kponds () gmail com)@Tue, Oct 05, 2004 at 04:23:58PM -0500:
> On the flip side of the coin, what can people coming out of college in
> a field like this do to make sure their skills are allocated in the
> right place?

Make sure that you are working while you are still in school.  There is
a difference between getting the project done well enough to earn a good
grade, and getting it done well enough to earn money.

> My experience in job hunting (I'm about to graduate college) is that
> you can either get a job developing security products or using
> security products.  The latter environment is much more prevelant in
> the college job hunt.

Sad truth is that our industry is saturated with people who can not
accurately self assess their own strengths and weaknesses.  We have
people with no understanding of how computers really work learning how
to run automated wizards and passing as security experts.  One of our
internal mottos at Dyad is "What you do means a lot more than what you
say".  More to your point though, you can't fully understand what a tool
does for you until you try to build one yourself.  You'll learn more by
writing a sniffer than by simply using one.

> This makes it hard for the security college grad.  We can either take
> the F500 corporate job and not use our advanced programming skills, or
> we can try and try to get on with a company such as Immunity or eEye,
> which is a very tough battle to fight when corporations are trying to
> throw money at you.

:) .. at some point you have to pick a primary motivation.  Some people
are greatly motivated by money.  Others are greatly motivated by
accomplishment.  In order to be the best you can be, you need to quickly
pick which motivation to grab on to.

> My advice, look where the college graduates will look.  Post on
> SecurityFocus jobs, different security forums and mailing lists, etc. 
> Stay relevant, and don't post job advertisements in low traffic lists
> that like to stay on subject.

When I'm interviewing candidates I look for accomplishments.  If all
they have on their resume is a degree, they're far less interesting than
if they have contributed to meaningful projects along the way.  Most CS
college grads will have to unlearn years of habits before they can
become usable.

There is a huge difference between an exploit writer and a security
researcher.  While the exploit writer may have a highly honed knack for
finding and exploiting a buffer overflow, a security analyst is able to
find additional attack vectors outside of the well known problem set.

While in college, expose yourself to as many varied things as you
possibly can.  Join projects, sponsor projects, contribute like mad.

When I was in college I played French Horn 7-10 hours a day.  I would
have done more if I didn't have other homework, classes, sleeping and
eating to contend with.  Now at work I work 12-16 hour days on average. 
It takes a great deal of dedication to get really good at anything.

Or you can just do the megacorp thing, put in your 8 hours, go home,
earn a pension, and never accomplish anything of great worth.  You can
even make a lot of money doing that.  It's all about your priorities and
personal motivations. =)

> We are interested in computers, but we aren't interested in fumbling
> around with Crystal Reports all day, and thats what's being shoved
> down our throats.

I'm not sure if you got the memo, but I'm going to need that TPS report
by 4:00pm today... so if you could just do that, that would be great.

Robert

-- 
Robert E. Lee
CTO, Dyad Security, Inc.
W - http://www.dyadsecurity.com
E - robert () dyadsecurity com
M - (949) 394-2033
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave