Anyone here apply for Federal positions, how long did you wait for a reply?
Am starting to get response (2 out of 29) for some of these agencies, which were I don't qualify for the position. But I'm persistence as fukk!
Anyone here apply for Federal positions, how long did you wait for a reply?
Federal is about hitting check marks.Am starting to get response (2 out of 29) for some of these agencies, which were I don't qualify for the position. But I'm persistence as fukk!
Federal is about hitting check marks.
Again give yourself a leg up by getting used to DoD 8570
DoD Approved 8570 Baseline Certifications
You get your Sec+ or usually if they like you they'll bring you in and give you 6 months to get it, but try to get certs that fill out the most boxes.....
There is no best way objectively.Are the Mike Myers tests the best way to practice for the 901 test???
Lmfao you better be ready, the only companies which will allow you to learn has you go know nothing about securityThat depends... Are we talking about my resume or the truth?
According to my resume; I'm the man. 2+ years in various security roles ranging from Incident Response to Application Security. I can talk the talk with the best of 'em doe
Cyber attack modeling & simulation is the next wave. Get in before it's too late
Pentesting's been around since the late 80s. Nothing next about it. And to be honest, it's only really useful for a relatively mature information security program to test and validate controls or for PCI bullshyt and most companies are not that mature. Tons of people trying their hardest to be in pentest too.
Appsec has a bigger expertise shortage imo. And even blue team stuff centered around anomaly detection and higher level engineering (aka not run of the mill SOC).
Over the last few weeks, Gartner analysts Augusto Barros and Anton Chuvakin have issued a call to action on threat simulation, and dived into Breach and Attack Simulation technologies. The questions they’ve posed are timely and relevant, and have been brought up by many security leaders we’ve talked to as well. As a result, we thought it would be fitting to kick off a blog series to discuss these topics and our perspective on Breach and Attack Simulation.
Anton posed an interesting question in his first blog- “ What does it even mean “to test one’s security”? As he said, “We want to look into testing of security technologies and processes (such as detection and response processes), with the focus on outcomes, not controls. In essence, we want to look into testing the effectiveness, not the presence, of security controls.”
Let’s take a look at options that are available today:
- Penetration testing - A pen test is a point-in-time approach that attempts to evaluate the security of an environment by exploiting weaknesses such as vulnerabilities. These assessments are typically conducted once or twice a year, or every quarter in the case of organizations with stringent regulatory compliance requirements. Pen testing focuses typically on external attacks, and have a bounded set of objectives because of the impact and potential risk to users and systems.
- Red teams - Some larger organizations have developed internal red teams that “simulate hackers” and are proactive about finding security risks in their environment. Security red teams are typically available in large organizations with fairly mature security posture. The challenge for most organizations is it can be expensive to build a red team because of a general shortage of these red team engineers with offensive-security skillsets.
- Vulnerability scanning - Vulnerability management systems scan systems to identify vulnerabilities that are associated with them. Because vulnerability management systems don’t incorporate context, the output can be incredibly noisy and may not accurately reflect true security risks. Additionally, even if security teams complete the impossible task of patching every single vulnerability, doing so isn’t an indication of a secure environment. There are many other breach methods that a real attacker might use besides taking advantage of a vulnerability, for example, phishing, data exfiltration.
- Breach and attack simulation - A new technology defined by Gartner in their 2017 Hype Cycle for Threat Facing Technologies and in our Gartner Cool Vendor report, breach and attack simulation enables organizations to actually quantify security effectiveness by simulating hacker breach methods to ensure security controls are working as expected. The ability to assess security continuously and automatically--in real production environments, across the entire kill chain--eliminates guesswork, incorporates business risk context, and provides actionable results..
The hard reality with attackers is we know they are relentless and trying a variety of techniques to breach our security. Many of these techniques are being reused. The best way for us to ensure our security controls are going to stand up against these attacks is to actually execute these attacks.
Edit: Technically, Appsec is a subset of pen testing. Blue team will always have more jobs due to the nature of the work. Personally, I don't like Incident Response. Rather do cloud security.
No. No it isn't. Appsec is simply the process of improving the security of applications via software, hardware and procedural methods. You may utilize red team processes like web app testing to validate and audit your controls, source code review, or design review... But appsec is not a subset of pentesting by definition. For example, a WAF is an application security device. Do you use it for pentesting?
As for the second bold.... IR/SOC in the cloud is the same as IR anywhere, the only difference is that you have to be aware of platform specific security controls (setting up logging in a large environment has it's nuances too, but that's a whole different conversation).
As for the whole breach simulation shyt, that's just a pentest with a different scope, which has been around forever. There is no functional difference in the TTPs used. Maybe there is on the red team side operationally, but yeah... That's just a pentest
I was referring to your original post. You claimed AppSec has a bigger shortage; yet, in that context, AppSec (Manual App Testing) falls under pen testing. That is why they have the GWAPT certification. Which is why AppSec positions tend to request the GWAPT. Now, does the entire field of AppSec fall under Pen Testing? Of course not, but under the context, I was correct - AppSec analyst managing WAFs?! Where they do that at? AppSec analyst use Scanners, manually review source code, and test for vulnerabilities.
Why would I do cloud IR but be opposed to on-prem IR?? I was referring to POC's/Architect aspect of cloud security.
Seems like miscommunication. I was speaking from my exp. as an AppSec Analyst. You on that SOC/IR ish
Breach simulation gon be lit. idc if its the same shyt with a different name
Computer Information Systemswhat is the route you take if you go to college for IT but wanna go into the security field like bdizzle did? I mean for argument sake if you got fortunate with being given money to go to college and don't have to do the cert route