网络安全从事工作分类
by Parisa Tabriz
由Parisa Tabriz
Every once in a while, I’ll get an email from an eager stranger asking for advice on how to have a career in security (computer, information, cyber… whatever). This is great! We need more passionate, creative, hard-working people that want to work on making technology safer to use. It also turns out to be a pretty financially stable way to make a living.
每隔一段时间,我会收到一个渴望的陌生人的电子邮件,询问有关如何从事安全(计算机,信息,网络……等等)职业的建议。 这很棒! 我们需要更多的热情,有创造力和勤奋的人,他们想要致力于使技术更安全地使用。 事实证明,这也是一种经济稳定的谋生方式。
There are plenty of other posts on this exact topic ¹, but I’ll offer some high-level thoughts pulled from my own experience.
关于这个确切的主题¹还有很多其他的帖子,但是我将根据自己的经验提供一些高级的想法。
Working in security isn’t like it’s depicted in Hollywood. I LOVE watching hacker-inspired movies and shows for the fantasy and escape, but day-to-day work isn’t (in my experience) as fast-paced and sexy as it looks on screen.
安全工作并不像好莱坞所描绘的那样。 我喜欢看受黑客启发的电影和幻想和逃脱节目,但根据我的经验,日常工作并不像在屏幕上看起来那样快节奏和性感。
Now, that’s true for most professions, and even if I’ve never spent a day deciphering streaming code in an underground lair, I still think it’s an exciting, important, challenging, and rewarding field to work in.
现在,对于大多数专业来说都是如此,即使我从未花过一天的时间在地下巢穴中解密流式代码,但我仍然认为这是一个令人兴奋,重要,具有挑战性和有益的工作领域。
Security is a broad, interdisciplinary, applied field. There are needs for people that design and build secure systems, people that try to break systems, people that try to detect intrusions, and lots of things in between. If I’ve learned anything, I’ve learned that there is no single, standard, or best preparatory path. Maybe this will change as the field matures, but I doubt it. It’s also not like other professional fields that require accreditation (e.g. medicine, law), which can be both liberating and intimidating.
安全是一个广泛的,跨学科的应用领域。 需要设计和构建安全系统的人员,试图破坏系统的人员,试图检测入侵的人员以及介于两者之间的很多东西。 如果我学到了任何东西,就知道没有单一,标准或最佳的准备途径。 也许随着领域的成熟,这种情况会改变,但我对此表示怀疑。 它也不同于其他需要认证的专业领域(例如医学,法律),这些领域可能会解放又可能令人生畏。
Independent of how you acquire it, you’ll benefit from having a strong understanding of applied computer science, or how computers and software work. Much of applied computer science is about solving problems with layers of abstraction, and security is often about finding the flawed assumptions in those abstractions… and then figuring out how to best fix (or exploit) them.
与如何获得它无关,您将从对应用计算机科学以及计算机和软件的工作原理的深刻理解中受益。 许多应用计算机科学都是关于用抽象层来解决问题,而安全性通常是关于在那些抽象中发现有缺陷的假设……然后弄清楚如何最好地修复(或利用)它们。
I did this by earning an engineering degree in Computer Science from a public university. Some of the more useful topics to me were operating systems, networking, computer architecture, and compilers. Beyond that, I just took technical courses I found interesting (e.g. digital signal processing, biomedical engineering, artificial intelligence) and explored security topics in networking, privacy enhancing technologies, and (web, client) application security via project work in student clubs and internships.
我通过从一所公立大学获得计算机科学的工程学位来做到这一点。 对我来说,一些更有用的主题是操作系统,网络,计算机体系结构和编译器。 除此之外,我还参加了技术课程,发现有趣的内容(例如数字信号处理,生物医学工程,人工智能),并通过学生俱乐部和实习项目的工作探索了网络,隐私增强技术和(网络,客户端)应用程序安全方面的安全主题。 。
You’ll also benefit from understanding how people (users, customers, whatever) that use technology work. If I could go back in time to my more {care, obligation}-free university days, I’d take some classes in psychology, sociology, and human factors.
您还将受益于了解使用技术的人员(用户,客户等)如何工作。 如果我能回到过去更加无忧的大学时代,我会选一些心理学,社会学和人为因素的课程。
I work with experts that have similarly traditional academic backgrounds (e.g. degrees in computer engineering, computer science, mathematics, etc.). I also know plenty of people that have less typical backgrounds (e.g. chemistry, film studies, psychology, graphic design) and some folks that dropped out of school before finishing a degree.
我与具有类似传统学术背景(例如,计算机工程,计算机科学,数学等学位)的专家一起工作。 我也知道很多人的背景不那么典型(例如化学,电影研究,心理学,图形设计),还有一些人在完成学位之前就辍学了。
On the topic of security certifications, I don’t have any, and I don’t think I’ve been held back because of it. It’s possible that some industries or countries require them for infosec professionals, and they’re certainly a thing that some reasonable people have pursued — caveat emptor!
关于安全认证 ,我还没有任何东西,我也不认为因此而受到阻碍。 某些行业或国家可能会要求Infosec专业人士提供这些信息,而这些信息肯定是一些理性人士追求的东西-告急者!
Culturally, I’d recommend reading the Hacker Manifesto or How to Become a Hacker, which serves as both inspiration and moral compass for many security experts. Even if you don’t liken yourself to a hacker, it’s helpful to understand the mindset of some of the people you’re working alongside.
从文化上讲,我建议您阅读《 黑客宣言》或《 如何成为黑客》 ,它对许多安全专家而言都是启发和道德指南。 即使您不喜欢黑客,了解与您一起工作的某些人的心态也很有帮助。
Beyond that, most of what I know I’ve learned over time, in anecdotes and nuggets from friends and co-workers, security blogs, conference papers and presentations, mailing lists, local security groups, and other online resources. A lot of the things I hear about or ingest today come from folks on my Twitter security list.
除此之外,随着时间的流逝,我所学到的大部分信息都来自朋友和同事的轶事和掘金,安全博客,会议论文和演示文稿,邮件列表,本地安全小组以及其他在线资源。 我今天听到或摄取的很多东西都来自我的Twitter安全列表中的人们 。
This applies to any career pursuit, but get some real life work experience as fast as you can. That’s the best way to narrow down your interests, strengths, and areas of future development. You’ll also better understand what a normal work day and environment consist of, including what you like and don’t like. One of the most valuable career-related experiences of my life was doing an internship I hated since it veered me strongly into another direction :)
这适用于任何职业,但是要尽快获得一些现实生活的工作经验。 这是缩小您的兴趣,优势和未来发展领域的最佳方法。 您还将更好地了解正常的工作日和工作环境,包括您喜欢和不喜欢的部分。 我一生中最宝贵的与职业相关的经历之一就是实习,我讨厌这种实习,因为它使我深深地转向了另一个方向:)
In terms of how to start getting experience, I don’t have a simple answer. Check out career fairs and conferences, get involved in clubs or other organizations, apply for internships and part-time jobs with bold enthusiasm. Way before coming to Google, I cleaned up dried nacho cheese at a concession stand as part of my regular shift as a community pool lifeguard. That little bit of job experience helped me get a college dorm SysAdmin job, which no doubt was relevant when interviewing for an IT internship at a large Pharmaceutical company. I got some “real” (i.e. non-coursework) software experience with clubs at University, and I found a cybersecurity internship posting on a school newsgroup, which probably gave me just enough relevant job experience for someone at Google to consider me for an interview.
关于如何开始积累经验,我没有一个简单的答案。 参加职业展览会和会议,参加俱乐部或其他组织,以大胆的热情申请实习和兼职工作。 在去Google之前,我在社区摊位救生员的常规班次中,在一个特许摊位上清理了玉米片干奶酪。 一点点工作经验帮助我获得了大学宿舍SysAdmin的工作,这无疑与在一家大型制药公司进行IT实习面试时有关。 我在大学的俱乐部中获得了一些“真实的”(即非课程学习的)软件经验,并且在学校新闻组中找到了网络安全实习职位,这可能给了我足够的相关工作经验,供Google的某人考虑接受我的面试。
The best security engineers I know are also actively writing code. This gives them firsthand experience with writing software, including unintentionally-yet-inevitably introducing security bugs. The latter forces a real empathy for all developers. After all, it’s often harder to consistently write secure code than it is to point out insecure code.
我认识的最好的安全工程师也在积极编写代码。 这为他们提供了编写软件的第一手经验,包括无意却不可避免地引入了安全漏洞。 后者迫使所有开发人员产生真正的共鸣。 毕竟,与指出不安全的代码相比,一致地编写安全的代码通常要困难得多。
If you’re stuck on where to start in a project of significant size, try fixing bugs in an open source project. Everyone loves people that fix bugs! The project will thank you, and it’s typically a good way to get real-world experience and your foot in the door for future work.
如果您在一个庞大的项目中从何处开始陷入困境,请尝试修复开源项目中的错误。 每个人都喜欢修复错误的人! 该项目将对您表示感谢,它通常是获得真实经验并为将来的工作打下基础的好方法。
Spend time finding software bugs. Learn how to use a debugger, network scanner, web debugging proxy, and software fuzzer. Spend time in hacker playgrounds, which are available for all skill levels. I first used https://www.hackthissite.org when I was in college, and listed out a couple other self-guided hacker training sites at https://infosec.rocks. There’s also a good list of hacking challenges, competitions (e.g. CTFs), and time wasters here. Or find and report bugs in actual software you use. There are plenty of software vendors that offer financial rewards for security bugs, including Chrome and Google, as well as some core open source projects covered by the Internet Bug Bounty program.
花时间寻找软件错误。 了解如何使用调试器,网络扫描仪,Web调试代理和软件模糊器。 花时间在所有技能级别的黑客游乐场中。 我第一次用https://www.hackthissite.org当我在大学,并列举了几个其他的自导的黑客培训网站,在https://infosec.rocks 。 还有的黑客挑战,比赛(如CTFS),并且浪费时间了良好的名单在这里 。 或者查找并报告您使用的实际软件中的错误。 有很多软件供应商会为安全漏洞提供经济奖励 ,包括Chrome和Google ,以及Internet Bug Bounty计划涵盖的一些核心开源项目。
Beyond finding bugs yourself, I’d recommend following along and learning from what others are finding (bugtraq, fulldisclosure, oss-sec).
除了自己发现错误之外,我还建议您继续学习并从别人的发现中学习( bugtraq , fulldisclosure , oss-sec )。
I started learning about security back in college from peers in an ACM special interesting group called SigMil, where members would give unpolished presentations about security topics they were interested in. We also took an annual pilgrimage to DEFCON to attend talks (which was a lot easier to do a decade ago), buy security books or magazines, or just chat with likeminded folks from other parts of the world about what they were working on. At Google, I’ve learned SO MUCH directly from my peers sharing their expertise, struggles, and half-baked ideas.
我从大学时就从ACM特别有趣的小组SigMil的同龄人那里开始学习有关安全性的知识,该小组中的成员将对他们感兴趣的安全性主题进行粗略的介绍。我们还每年向DEFCON进行朝圣,以参加讲座(这很容易(十年前),购买安全书籍或杂志 ,或者只是与来自世界各地的志同道合的人聊天,以了解他们在做什么。 在Google,我直接从同行那里学到了很多,他们分享了他们的专业知识,奋斗和半生半熟的想法。
Sharing knowledge is important for a few reasons:
共享知识很重要,原因如下:
Working in security means you’ll need to regularly explain complex, technical problems to different audiences, each with different vocabularies, expertise, and incentives. You’ll rarely have universal metrics to lean on when describing the severity of a vulnerability, nor will you have anything shiny to show off when promoting best security practices. You’ll have to keep people unflustered in the face of FUD, yet focused on action outside of crisis.
安全工作意味着您需要定期向不同的受众解释复杂的技术问题,每个受众都有不同的词汇,专业知识和动机。 描述漏洞的严重性时,几乎没有可依靠的通用指标,在推广最佳安全性实践时,也没有任何亮点可以炫耀。 您必须让人们面对FUD时保持镇定,但要专注于危机之外的行动。
All of this takes skills in the art of communication, and in particular, explanation and negotiation. You’re unlikely to master this art from purely technical resources, so practice, publish, and forever aim to improve.
所有这些都需要交流技巧,尤其是解释和谈判技巧。 您不可能仅从技术资源上掌握这种艺术,因此请实践,出版并永远致力于改进。
Perhaps this is obvious, but it’s worth explicitly being called out.
也许这很明显,但是值得明确指出。
Security is challenging work. You’ll need to constantly learn new things because the technical landscape you’ll need to secure is rapidly evolving much faster than our ability to deprecate the old, yet-to-be-entirely-secured stuff. The threat actors, who often have time and resources on their side, are also quick to adapt to existing defenses.
安全是一项艰巨的工作。 您需要不断学习新事物,因为您需要确保的技术面貌正在Swift发展,其发展速度要比我们淘汰旧的尚未被完全保护的东西的能力要快得多。 威胁参与者通常有很多时间和资源,可以Swift适应现有的防御措施。
Security can be stressful. You’re dealing with ambiguous problems, imperfect solutions, limited data, and real threats to human safety.
安全可能会带来压力。 您正在处理模棱两可的问题,不完善的解决方案,有限的数据以及对人身安全的实际威胁。
It’s hard to measure success with security, and in my experience, people are more likely to notice failure. When securing real world technology, we’re ultimately in the business of risk mitigation, and no matter what someone on an RSA vendor floor tells you, there are no silver bullets.
用安全性来衡量成功是很难的,以我的经验,人们更容易注意到失败。 在确保现实世界技术安全时,我们最终将承担风险减轻的业务,无论RSA供应商会上的某人告诉您什么,都没有灵丹妙药。
This field can be depressing for some of the reasons I just outlined. It can seem impossible to keep pace with the speed of innovation in technology and exploitation. I mean, buffer overflow vulnerabilities have been around for decades, yet we still regularly see high-impact exploits leveraging them today (2016). You’ll regularly hear people scream security is impossible, and it’s getting worse, or make entirely eloquent points about why we’re all failing.
由于我刚才概述的某些原因,该字段可能会令人沮丧。 似乎无法跟上技术和开发创新的步伐。 我的意思是,缓冲区溢出漏洞已经存在了数十年,但是今天(2016年)我们仍经常看到高影响力的漏洞利用它们。 您会经常听到人们大声疾呼,说安全性是不可能的,而且这种情况越来越糟,或者对我们为什么都失败提出完全雄辩的论点 。
Reality can be harsh, but if we focus on the positive and think of all the things technology has afforded, it’s pretty dang impressive! It’s not perfect. It will never be perfect. But I think the cutting edge of security is a lot better than it was 10 years ago, we can do some pretty impressive stuff with some level of reasonable assurance, and that’s something that keeps me optimistic.
现实可能很严酷,但是如果我们专注于积极因素,并考虑技术所能提供的一切,那真是令人叹为观止! 这不是完美的。 它将永远不会是完美的。 但是我认为安全性的最前沿要比10年前要好得多,我们可以做一些令人印象深刻的事情,并且要有一定程度的合理保证,这让我感到乐观。
Don’t get discouraged if you run into jerks. I’ve seen plenty of chauvinism and ego in the infosec industry over the years. It’s not uncommon for a conversation (online, at a conference, wherever) to quickly turn into who is the most elite.
如果遇到混蛋,不要气disc。 这些年来,我在信息安全行业中看到了很多沙文主义和自我意识。 对话(在线,在会议上,在任何地方)Swift变成谁是最精英的情况并不少见。
Perhaps this isn’t the experience for everyone, but I’ve been successful in large part due to the support, advice, mentorship, and help from lots of great security people whom I now consider friends. Just because you have to ask for help does NOT mean you aren’t cut out for this work.
也许这并不是每个人的经验,但我之所以取得成功,很大程度上是由于我现在认为是朋友的许多出色安全人员的支持,建议,指导和帮助。 仅仅因为您必须寻求帮助并不意味着您就不会为此工作而苦恼。
If you need help, ask for it. Just make sure you do your due diligence and make it as easy as possible for people to help you. Most experts are pretty busy, so you’re much more likely to get a useful response if you ask a well-scoped question with sufficient context and no typos.
如果需要帮助,请寻求帮助。 只需确保您进行了尽职调查,并使其尽可能容易地为人们提供帮助。 大多数专家都很忙,因此,如果您问一个范围足够广,没有错别字的问题,那么您很有可能会得到有用的答复。
[1] Some other security career advice thoughts I’ve stumbled upon:
[1]我偶然发现的其他一些安全职业建议思想:
Thomas Ptacek, Charlie Miller, Jeremiah Grossman, Richard Bejtlich, and Bruce Schneier share their thoughts in http://krebsonsecurity.com/tag/security-career-advice/
Thomas Ptacek,Charlie Miller,Jeremiah Grossman,Richard Bejtlich和Bruce Schneier在http://krebsonsecurity.com/tag/security-career-advice/中分享了他们的想法
Chris Palmer, my friend and Chrome colleague, shares solid advice in https://noncombatant.org/2016/06/20/get-into-security-engineering
我的朋友和Chrome同事Chris Palmer在https://noncombatant.org/2016/06/20/get-into-security-engineering中分享了可靠的建议
Michal Zalewski (a.k.a. lcamtuf) shared 4 simple lessons based on his 20 years of (awesome and often groundbreaking) work in security: https://lcamtuf.blogspot.com/2016/08/so-you-want-to-work-in-security-but-are.html
Michal Zalewski(又名lcamtuf)基于他20年(在安全领域出色(而且经常具有开创性)工作)的经验分享了4个简单的课程: https : //lcamtuf.blogspot.com/2016/08/so-you-want-to-work- in-security-but-are.html
翻译自: https://www.freecodecamp.org/news/so-you-want-to-work-in-security-bc6c10157d23/
网络安全从事工作分类