I run a coffee meetup in Buffalo, NY. Around graduation season we get a lot of international students who come and are looking for jobs but are worried about visa issues. What are the resources about what their actual situation is, and how I can help connect them to smaller companies who might not know how to sponsor students?
I'd recommend inviting a local immigration attorney to speak to the group and/or be available to answer questions because there's no one great resource.
Locations: Seattle WA, North Virginia, Dublin Ireland (EU), Sydney Australia
We're looking for security-minded engineers at various skill levels. Our positions range from support engineers (who we expect to have a good technical depth, but not necessarily a security focus) to principal engineer (capable of running a security campaign across 100s of thousands of servers and 10s of thousands of employees.
[edit: linebreaks]
Key focus areas include:
- Recognize, adopt, utilize and teach best practices in security engineering: secure development, cryptography, network security, security operations, systems security, policy, and incident response.
- Collaborate to ensure that decisions are based on the merit of the proposal, not the proposer. When none of the proposals is the obvious winner, you are still decisive, able to disagree and commit to the team’s decision
- Demonstrate high capacity and tolerance for extreme context switching and interruptions while remaining productive and effective
- Participate in efforts to promote security throughout the Company and build good working relationships within the team and with others across Amazon
- Partner with teams throughout the Company to develop pragmatic solutions that achieve business requirements while maintaining an acceptable level of risk
- Solve problems at their root, stepping back to understand the broader context
- Maintain an understanding of the Internet threat environment and how it affects the company
- Find and fix flaws in existing company systems and sites
- Leverage current state of network and application security tools and how they can benefit the company
- Maintain knowledge and skills required to keep up with the rapidly changing threat landscape
- Participate in efforts that create and improve the company’s security policies
- Work under extended, extreme pressure, handle situations calmly and lead incident response teams effectively
- Proactively support knowledge sharing within the team and across the company
- Help recruit the very best people for Amazon through active participation in the overall recruiting process
- Large-scale security engineering Cloud security experience is obviously a plus, but not a firm requirement. Listings are available here: http://www.amazon.com/gp/jobs/ref=j_sq_btn?jobSearchKeywords... Or PM me and I can provide a professional reference.
Hopefully the author will see this, but please make sure to add a note to add the settings.py to the .gitignore file. If your AWS creeds are committed to github anyone can have access to your AWS account
I would be interested to see what the HN crowd's opinion on certifications are. Mr. Schneier mentions them in his post but they seem to be a sticking point in the community as a whole. I have been on the hunt for ~2-3 months now without luck so far. I am currently working on my CISSP though I don't have the experience to qualify (CISSP requires 5+ I only have 2+) for it so even if I pass I can only qualify for the associate level.
I'm not sure if the CISSP is the way to go but I want to feel as if I am moving forward on a career search so I don't get stuck in a rut.
IMO, he's seriously wrong about certifications. (and not really on the right track with this article in general; a good background in making stuff is key to knowing the tradeoffs in securing stuff...)
Maybe the perfect cert would be a useful tool for some purposes (corporate hiring, huge projects with consultants doing low-level IT, etc.), but those are crappy jobs (and not really "expert" in any way).
More importantly, the extant certifications are all crap. CISSP in particular. Get it if an employer requires it, but it's independent of your actual knowledge and learning process.
You will never, ever get the time you waste at a bad employer back. Employers that require CISSPs are far more likely to be wasting your time than not. The most important life lesson I've learned over the previous 10 years: be jealously protective of your time.
If you're in the military, you're basically required to get it, and it's not much more of a waste of your time than other things you could be doing there...
I personally got it just so that no one else in my company would ever need to do so; there are stupid companies which won't buy a product without integration, and where they have artificial requirements for integrators being certified. Given that it is only 1% of useless pain to enable 99% useful rewarding stuff, I found the sacrifice worthwhile.
This comment is a great example of why I'm training myself to be less factional and defensive about people who hold the certificate. The military thing hadn't ever occurred to me.
But to be clear: I believe pretty firmly that for technical / software security, the CISSP is useless.
CCIE Security is probably useful, although that's more CCIE + Security than some abstract security cert, too, and specifically for network security, and specifically the kind of network you get in a corporate environment, not a startup/saas.
I'm not sure how I feel about SANS/GIAC. Absurdly expensive IMO, but potentially actually has some value for sysadmins doing system security. I can't think of what CISSP is actually good for, except maybe trivial pursuit - crappy consultant edition.
Somewhat related - about 2 years ago, my employer had a bunch of us go through the SANS/GIAC GSSP training & certification. Some of the material was pretty boring and of questionable utility, but we had a good instructor and some of the hands-on parts where we were finding vulnerabilities was actually really fun.
I'm under no illusions about the certification's marketplace value and I doubt I would have ever paid for the course/cert on my own, but it felt like one of the better formal trainings I've been through in my professional career (which, granted, isn't saying a whole lot by itself).
Also, the certificate comes mounted on a comically oversized plaque, which provides some entertainment value.
Strong agree with 'rdl, I recommend avoiding the CISSP altogether. Having a CISSP isn't going to hurt you, except to the extent that it will enable you to get jobs at places you shouldn't be wasting your time with.
Once upon a time I was a contractor at an insurance company, and I saw that most of the people in their IT department had various certifications hanging on their cubicle walls. I thought, "I want one of those."
So I selected the Security+ certificate, inhaled about two-thirds of a book covering the material, passed the test, framed the certificate and put it on my office wall.
Security+ is the "easiest" of the big certs (I did CISSP with about 10 hours of prep, and probably didn't even need that, but I had been working in the field for 15y, read the Rainbow Books when I was 11, and enjoy security trivia for its own sake rather than for application only; it normally takes about 5x more time to prep for than Security+ vs. CISSP).
Security+ seems a bit more focused, and obviously vastly less comprehensive (Part of CISSP is some fairly esoteric and never-used theoretical models). In practice I'd say it's on par with CISSP.
https://www.isc2.org/dodmandate/default.aspx
DoD considers Security+ to be level I or level II, CISSP to be ok up to level III, although prefers CISM or CISA for certain roles over CISSP.
Most certifications are pretty meaningless, except to suggest to managers that you probably at least know some basic information about the topic covered. If you're out of work, getting some certifications certainly wouldn't hurt, but if you're not worried about trying to find a job, you generally don't need to worry about certifications.
That said, there are a few certifications that are very hard to fake your way through. --I wouldn't put much stock in a CCNA or CCNP, for example, but someone who has CCIE most likely does know quite a bit about the area covered by the CCIE exam. Likewise, the Microsoft Certified Master program, which not only requires exams, but a certain number of years of experience (varies by product) in the product you want MCM status for, shows that you've been working with the product long enough that you probably actually know something about it (whether or not it really makes you an expert...) But these certifications don't really say much about your software development skills, which is what the Hacker News audience is probably more interested in.
As someone who used to be CISSP certified (way back in 2003), here's my advice: don't bother. The only reason I got it in the first place was because, honestly, I had more free time than actual experience. Otherwise it's a great way to bullshit your way into a job you're unqualified for in a shitty company.
Focus your efforts on actual learning, instead of proving through a worthless piece of paper.
edit: Just to drive the point home: 9 years later I still don't know shit about security.
If you're going to waste your time on a stupid cert, waste it on a vendor cert around your main technology.
I'd trust a RHSE to know redhat security for redhat deployments more than I'd trust a CISSP, mainly because I put close to negative value on the CISSP, and a lot of infrastructure security is actually following best practices, not anything too specific to security.
For networking, Cisco (assuming a Cisco shop).
For virtualization, I've heard the VMware stuff is good if you're enterprise doing VMware. I wonder if there's value in the Amazon AWS courses for AWS deployments; I'd almost take one just to see what they're like.
