[Owasp-austin] Security Certification Question

Jason Geffner jason at malwareanalysis.com
Fri Apr 29 16:56:00 EDT 2011


I teach malware reverse-engineering classes at Black Hat, but as it would
probably be in poor taste for me to link directly to them, I'll just be
honest and say the following...

If you're looking to take malware analysis courses to educate yourself and
perform better at your job, then that's fantastic. But if you're looking to
get a certification just for improving your career opportunities, be
forewarned that most of the best security and/or AV companies could care
less about certifications. They'll judge you based on what you've published,
what tools you've written, and on your overall reputation in the industry.

- Jason


-----Original Message-----
From: owasp-austin-bounces at lists.owasp.org
[mailto:owasp-austin-bounces at lists.owasp.org] On Behalf Of Snider, Matthew
Sent: Thursday, April 28, 2011 1:01 PM
To: owasp-austin at lists.owasp.org
Subject: Re: [Owasp-austin] Security Certification Question

RE:  I wish to do security related certification i am good in linux,ruby
moderate c programming CISSP, OSCP ,SANS there are a lot of cretifications
which one should i go for i am mostly interested in malware level coding and
analysis!
I am a second year undergraduate in Information technology.

please help! i have been already using backtrack linux for the past 2 years!


Hello,

Saw your post on the OWASP mailing list, so I thought I'd share my two
cents.  Given your background and career aspirations, I would say the CISSP
is way too much for what you're looking to do.  CISSP is all-encompassing,
folks like to say it's a mile wide but only an inch deep.  So to do that
cert you'll have to learn about fences, lighting, fire extinguishers,
cryptography (DETAILS!  It's hard), business continuity and DR, etc.  In
addition you'll need five years of professional experience to qualify as a
CISSP.  You can pass the test and become an "Associate of ISC2" but that's
not a CISSP.  Down the road as your career progresses I would say definitely
go for the CISSP, in my opinion it's the gold standard of security.

If you're just trying to get a security cert that you can put on a resume,
maybe CompTIA Security+ would be a better option. It's broader than just
malware but much more manageable than the CISSP without the experience
requirements.

If you are really interested in malware analysis, etc, then I'd look to
SANS.  They have two courses which could be relevant:

 Reverse-Engineering Malware (Forensics 610)
http://www.sans.org/selfstudy/description.php?tid=4607


If you're really strong on the coding side, another option is Advanced
Exploit Development (Security 710).

http://www.sans.org/selfstudy/description.php?tid=4777

The thing about SANS though, since you're a student, is that SANS is very
expensive.  But like the CISSP, it to me is the gold standard.  I've never
taken a SANS course but I have wanted to for the last 10 years at least.
Maybe there are student discounts?


One other avenue to consider is linux certification--the LPI is pretty good
I think.  It's not security-specific, but linux is a good place to be right
now career-wise.
http://www.lpi.org/eng/certification/the_lpic_program


Anyway, hope this helps.  If you have additional specific questions please
let me know and I'll try to assist.  Good luck!

Thanks:)
Matt Snider



Matt Snider, CISSP, CISA, CCENT
Manager, IT Assurance Services
Clifton Gunderson LLP
11044 Research Boulevard, Suite C-500
Austin, TX  78759
512.342.0800 / FAX 512.342.0820
Direct: 512.340.7428
Matthew.Snider at cliftoncpa.com

www.cliftoncpa.com





**** Clifton Gunderson LLP Internet Email Notice **** The information
contained in this e-mail is confidential and is for the use only of the
intended recipient. If you are not the intended recipient, any disclosure,
copy, distribution or other use of this  information is prohibited. If you
have received this communication in error, please notify us immediately by
telephone and delete or discard this message immediately.
IRS rules, which govern the way we conduct our tax practice, dictate that we
give you the following notice: Any tax advice included in this communication
(including attachments) is not intended or written to be used, and it cannot
be used by any taxpayer, for the purpose of avoiding penalties that may be
imposed on the taxpayer.
_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin


_______________________________________________
Owasp-austin mailing list
Owasp-austin at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-austin



More information about the Owasp-austin mailing list