Ask HN: How do you start a career in software security?
I am close to finishing a Computer Science degree and while I find software security really interesting, I have not been able to find any company hiring graduates for positions that specify working with software security. Is software security just something you stumble into later in your career? Security consultant checking. Candidates with some form of experience are often preferred. But the beauty of infosec is that that experience can be pretty much anything, it does not have to be relevant work or school experience. Have some bug bounties, CVE's or exploits to your name, you'll get an interview. Have a certificate like OSCP to your name, you'll get an interview. Do writeups of Vulnhub machines and that might even be good enough. But what seems to be the common theme among security people in nice jobs is that the effort came from them. They were self driven, this is what they do, regardless of whether they're paid for it.
And the reason is simple, this is a fast moving job, which often requires additional study and effort on a daily basis.
So show that you have this quality and take a very active approach to the start of your security career. It should work, everyone is hiring. > Have some bug bounties, CVE's or exploits to your name, you'll get an interview. That assumes you hear of positions, and apply. I do auditing for fun in my spare time, and have reported issues in software as diverse as Emacs, evilvte, GNU Readline, gforge, oping, and NCSA Mosaic 2.1 (!). Brief list - https://steve.fi/Security/Advisories/ In all that time I've never once received an unsolicited offer/mail about "security". I do receive unsolicited contact from recruiters every other month or so, on the topic of Perl/Ruby/C++/etc. (Interestingly I stopped getting recruiter mails from people asking about C++ when I moved a couple of personal github repositories into an organization of which I'm the main active member. I suspect that means recruiters are crawling github now.) > Have a certificate like OSCP to your name, you'll get an interview. That's the way I personally moved to security and can't recommend it enough. It's a bit expensive but you definitely get your money's worth. In terms of security certificates, it is actually on the cheaper end. SANS/GIAC have a lot of certificates but run much more expensive, like $5k+ Well, it's a bit of an out of pocket expense for sure, but it is in my opinion the security course where you get most bang for your buck. The reason you haven't found companies hiring graduates for security is partly because security, like most specializations, generally skews towards more experienced candidates, and partly because it's a relative niche. I'm happy to help you via email if you'd like to get in touch. Practically speaking, my advice would be to pursue bug bounties, read as much as you can in the field and implement security measures in code to understand them deeply. Plenty of the large and reputable security firms are in an "always hiring" state, even for graduates. I know this is a broad question, but what skill set are security firms looking for in graduates/juniors? I have a year of experience in software development on a security product, and have done some basic security vulnerability assessments, but I'm not sure if that's enough to get hired somewhere else. I work in product security. Early in my career, I often did bug bounties, CTFs/wargames, but I didn't really get into "software security" until I had spent some years doing some large scale production-level software engineering. Software security is a big space. There are pentesters, exploit developers, researchers, application security people that work attached to product engineering teams, et cetera. What is it that you really want to do? IMO to really understand how to break things and how things break, you need to be able to build things as well. Outside of very limited circumstances, you need to be able to communicate to product teams and other developers why a certain exploit class succeeded, what they can do to mitigate the issue in prod now, and what best practices to follow to mitigate the issue class in the future. If I were you, I'd connect directly with people working in security, either security for a "normal" company or working for a security company. I can believe if you say that job posting is slightly biased towards senior positions, but I'm sure you'll find good opportunities easily, it's a very specialized job and it's hard to find good people. If you let managers (or hr) know that you exist, a position will appear. Being in a somewhat similar position (looking for my first 'real' job in the field of security),
I have more or less the opposite problem. After setting up a profile on sites like Xing (works best for Germany) or Linkedin and adding some relevant buzzwords, you get basically swarmed by recruiters. The offers from recruiters might not be the most interesting, but you still can use them to get some information and feedback. Just show that you have a personal interest in security.
For Example I have myself participated in a bunch of bug bounties, hitting most of the big ones
(Dropbox, Facebook, Google, Microsoft, Mozilla, Paypal, Twitter, ...).
While finding big problems in the higher payed ones might be trickier,
there are always companies that just offer a thanks or some swag.
An alternative would be to look at open source projects and try to get some CVEs.
Of course this depends on what field of security you want to end up in. > I have not been able to find any company hiring graduates ... Don't search job posts online, you must go where the fish are. Start attending live events, conferences, etc... In Oslo, try OsloSec> https://www.meetup.com/OsloSec/?scroll=true For me it was, yes. For you, though, it might not have to be. Can you get some security classes in your coursework? (Does your institution even offer any?) Luckily it offers two: Software security and cryptography. I have taken both. Should also probably mention that I live in Norway, so my question applies more to the European job market. Though I am of course interested hearing experiences from anywhere in the world. I'm from Denmark and in a position similar to yours. I'm not newly graduated but new to the "it security" field. What I do is that, I try to go to conferences here in Copenhagen. Luckily my current employer endorses my endeavour and even sponsors some of the conferences or let me use some of my work time to attend. But the point is I'm trying to get to know the field and the people in it. It's a small community - at least in Scandinavia, so I'm trying to use the human angle here. :) (But truth be told I'm hoping to land a job at my current employer.) Go to the OWASP meetups in Norway if you can, nice people there. Don't be afraid to shake things or the industry but always stay on the bright side. The line is very thin between: I am trying to help and improve security in contrast with I am threatening you. Some people or Business could feel threatened depending on the wordings used when approaching them.