EH-Net

Hi all, hope you guys are doing good. I am a CCNA, CCIE Security written, JNCIA(FWV/VPN), currently working at on juniper's netscreen firewall at JTAC, Convergys, Bangalore. I want to know if I am eligible to do cissp, I have around 1 year of exp in IT( 6 months of routing and switching, 6 months of firewall experience.). I know I can do Associate of cissp, but what will I have to do once I am certified to get the actual certificate.

And I wanted to know a few things about GSEC, I liked the topics alot, will this certification help me in during my interviews? is it on HR'S list? And do i need experience to take GSEC?

You need five years of full-time security experience. There seems to be a bit of flexibility in what's considered full-time security experience (you need to be involved with two of the domains, but some are fairly broad). Additionally, you can waive a year of experience with a qualifying degree or certification. Regardless, if you only have one year of IT experience, you're definitely a few years away from being eligible.

There is more information here: https://www.isc2.org/cissp-how-to-certify.aspx

Professional experience requirements: https://www.isc2.org/cissp-professional-experience.aspx

Along with the certifications you can use to waive a year of experience: https://www.isc2.org/credential_waiver/default.aspx

As far as GSEC is concerned, I think it's a fairly well-respected entry-level certification. However, you should review the job sites and postings in your area to see how popular it is there.

What is your goal exactly?  What job do you want to have and in what timeframe?

If you're planning to stay focused on networking, the CCIE Security is tremendously valuable and you could supplement it with GSEC, GCIH, etc.  If you plan to go into management, a CISSP would be worth a lot more (you'll probably need a 4-year degree also).  If you're looking to do penetration testing, a lot of companies ask for the CEH but most of the people here prefer more difficult certifications like the OSCP.  So, again, what is your goal?

Thank you guys for your replies and your time. I want to get into application security. Any idea which certifications will help me?

@ unicityd - I do have a four year degree, Bachelor Of Engineering(Computer Science) :)

Check this out http://infiltrated.net/TechnicalSecurityRoadmap.html#

I'm assuming you're referring to web apps.

GWEB (maybe the .NET or JAVA ones as well): http://www.giac.org/certifications/software-security

GWAPT http://www.giac.org/certifications/security-administration

There will be some web app material in PWB/OSCP and CTP/OSCE, and AWA/OSWE focuses on it entirely: http://www.offensive-security.com/information-security-training/

eLearnSecurity's eCPPT has a lot of web app material as well.

Sil, you need a search function. Some of that is three-layers deep on your road map ;)

If i want to get into pen testing, will c and c++ help?? and does oscp require work experience?

Programming knowledge is always a bonus. You'd probably find yourself using Python or Ruby more often day-to-day, but C/C++ could definitely be a preferred language depending and what you want to do. There are a lot of great Python resources in this thread: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,8688.msg48019/topicseen,1/

No work experience is required for OSCP, but it is definitely not an entry-level cert (granted, if you're at a CCIE-written level, you probably already have a fairly solid background).

How much does OSCP cost?

For appsec, certs may help a little, but they aren't as valued as in pen testing and network security.  A lot of senior level appsec jobs ask for the CISSP, but other than that, most job descriptions don't ask for certs.  Most of the top appsec guys either don't have certs or don't advertise them.  GSEC or GWAPT may be helpful, but you should check out the companies you want to work for and see if they ask for them or for any certs at all.  Plan to get the CISSP eventually, but I don't know that I'd recommend investing in any others for the cert itself.  If you want to take a SANS course to learn, that's fine, just a little pricey. But don't expect the cert to carry that weight that a Cisco cert would in networking.

You need to know at least one language really well and should have experience with several.  You need to be familiar with the OWASP top ten and should also check out ESAPI.  To get started learning about the various application security issues from a bug-hunters perspective, check out this book list by Dino Dai Zovi (he wrote a couple of them):

http://www.amazon.com/A-Bug-Hunters-Reading-List/lm/R21POHD6Y2DOLQ (http://www.amazon.com/A-Bug-Hunters-Reading-List/lm/R21POHD6Y2DOLQ)

You should start reading Bugtraq and Full-Disclosure to see the bugs that are posted there.  Don't worry about trying to remember which bugs are in which products, you need to understand what the bug is and how the poster found it.  Every time you see something you don't understand, go research it.  If an exploit is included, make sure you understand how it works.

You have your degree already which is important.  Now, you need to start gaining experience in software development or in appsec directly.  Where to start depends on what you want to do.  If you want to be a security architect at a software company or actually build security solutions, start out as a developer and work on your appsec knowledge along the way.  Make sure you learn some crypto as well; you won't be designing your own algorithms/protocols, but you should understand the ones that are out there.  I recommend reading Understanding Cryptography by Paar and Pelzl and Cryptography Engineering by Ferguson and Schneier.

If you want to be a bug hunter/researcher, you should try to get into a junior role that is somehow related to appsec.  With your degree and a little knowledge, you may be able to get a position analyzing security bug reports at a software company, testing software, or analyzing malware.  To be a bug hunter, you'll need to be able to program and should have a reading knowledge of multiple languages but you don't have to be a primo developer.  You need to learn to debug software and, if you're working with compiled programs, to reverse engineer as well.  Your networking experience won't count for a lot unless there is an actual networking focus to the appsec work you're doing (e.g. doing appsec at Cisco).

If you're interested in buffer overflows in C/C++ code, check out the list of papers I posted a while back:

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2897.msg13502/#msg13502 (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2897.msg13502/#msg13502)

You may want to read a book on pentesting/hacking such as Hacking Exposed or Counter Hack just to get some perspective, but pentesting is a different skillset so don't worry about being proficient.

WOW! thanks alot for all the information. i am pretty confused with all the certifications the world of network security has, but i am happy that i have alot of options :) could you plz tell me how much oscp costs?

OSCP is $750 or more depending on how much lab time you want.

http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/ (http://www.offensive-security.com/information-security-training/penetration-testing-with-backtrack/)