Hello devrant, so I've been wondering if anyone here breaks things (infosec)? Is there anyone who dabble with building stuff(dev/ops) and breaking them? Need advise whether I should be looking at a devops-y role or a infosec related role in the future. (PS I was in infosec and slowly transitioning into ops/devops not sure yet). Please share your experiences. :)

  • 2
    I'm currently going from dev to infosec.
    It's lots of learning in the beginning. Infosec is large, so you'll want to choose what to specialize in after getting to know all the topics a little (or, as I say, excel in one, dabble in many).
    I chose to specialize in securing the human factor (aka user education, Security Awareness Training and so on). Security is a large field and you'll have to work as part of a team.
    In the end, prepare to read lots. If you can't speed read, learn it. It will come in handy.
    Also, depending on your field, you'll want a beefy machine for running large VM networks (I learned most of it in my free time, on my own equipment).
    You'll be asked questions outside of your field of expertise. Be prepared to answer them, get your feet wet in some of the other fields (for example, I can perform a penetration test, even if it's not my best quality).
    I don't know about devops, but I'll assume it's a similar game with different names.
  • 1
    I agree with you, I am aware of all the branches of security, what I'm experiencing is, that pentests are sometimes boring. You are looking for a needle in the haystack, and I don't like searching for things. I call this the hackers mindset. But I have a builders mindset. I like doing technical things, but infosec didn't quench my tech thirst. Does it get better/fun later?
  • 2
    @siliconchips Try out some of the other things(building malware perhaps? 😉). But if you're more of a builder, maybe infosec isn't for you... Being a security aware Dev is awesome as well. We need more of those!
  • 1
    Hahaha, yeah security is cool to follow. So many things happening in this space everyday. Why I was initially attracted towards it. Also everyone was getting on the coding train, I thought there would be too many Devs, or would not be paid enough because of the availability.
  • 0
    @siliconchips Yeah... The problem is, there aren't many standards in infosec yet, so everyone and their mother do "security" - for some, that only means installing OS patches and thinking up password complexity guidelines and they never even heard about anything related to cryptography.

    The thing is, security done well is a rare commodity.

    In general, you may want to dabble in as many fields, even non-technical, as possible - reading something about lockpicking or manipulating a mechanical tachograph may give your brain another context on a tech problem. I've had more of those moments than I can count ever since I started reading on unrelated topics (finance, economics, warfare, lockpicking, politics, CSI techniques, medicine, psychology)...
  • 0
    Yup, it's too broad of a domain. No two people in infosec would ever have the same experience. Some might work on crypto, some might just run scanners the whole day and call it a day.
    It is not rewarding professionally, when I'm putting my heart and soul on a sec project and others are lazing around. It's difficult to stand out even.
  • 0
    @siliconchips I know. I'm not a cryptography expert myself, but I can explain the basic workings of modern cryptosystems, I know when to use them and how to implement them.

    Unfortunately, in a world where the average civilian (noncombatant/end user/muggle/customer) can't even tell the difference between transport encryption and end-to-end encryption, there's a lot of room for marketing and other bullcrap spitters.

    It's easy to get what I call the "Hawkeye syndrome" (Like the surgeon from M.A.S.H - everything I do is pointless, so I might as well get drunk on the job. Watch the series if you haven't - it's very good) - every way we find to protect users, the bad guys find three new ones and at least one exploits a user's natural stupidity/lack of knowledge. There's no real interest in SecEd anywhere, because it's against the doctrine that most governments teach.

    So yeah... the quickest way to depression.
  • 1
    I'll check the series out for sure. I believe in work should be fun. Unfortunately my fun is kinda Dev/sec together.
Add Comment