Help me decide : Cyber Security VS Java Dev

[cguy]

Unfortunately, the TL;DR for the below is mostly YMMV, because I just don't have enough info about you or the jobs, but perhaps I can add some perspective.

I don't really know very much about security at all. I have some knowledge of encryption algorithms, and the related maths, but pretty much nothing about what security people actually do - I do get the impression though that it ranges from installing software to penetration testing (which would involve trying known exploits, and possibly developing new ones). Depending on what specifically, your job entails, this can range from fascinating to boring AF).

As for the development work, and bank vs. dev house, it all really depends on what you enjoy doing, how that aligns with pay, and what the local department's dev culture is like. I would look at what you've found that you enjoy doing, and see if doing more of that can align with any of these opportunities, and similarly, how much of what you hate doing is in these new jobs. I work in finance now, and far prefer the dev culture to that of technology firms, but I know that this isn't always the case.

Perhaps one more general piece of advice - something that has served me well, is to do whatever is harder. The harder the work, the more challenging and gratifying it tends to be, and as an additional bonus, it ultimately means that you have less competition, and can demand higher pay too.

 

[[)roi(]]

I'm a little late to this debate; but in reviewing all that has been said and not said; I think cguy has ended with some valuable advice.

Perhaps one more general piece of advice - something that has served me well, is to do whatever is harder. The harder the work, the more challenging and gratifying it tends to be, and as an additional bonus, it ultimately means that you have less competition, and can demand higher pay too.

With that said, security can be a very broad subject, with varying levels of specialisation and a lot of generalization; meaning the "missing" detail is what's going to make the security role either very challenging or very boring.

Here's a side example:
A French friend of mine was extensively a programmer for >20 years (his last few, primarily Java) and after a payment project decided to switch and specialise on Payment Systems: switching, authorization, settlement, ... his switch over was fairly painless considering he had gained a lot of low level experience coding VISA, MasterCard, Amex... frameworks that underpinned a lot of this; today he consultants as a Payment System's specialist with a key focus on security; plus point for him is that he can not only deal with the overall process & architecture but can also audit the underlying code.

Not everyone can make that type of transition; we all have varying strengths and weaknesses -- security can easily be very complex or very procedural; similarly so too some programming jobs. Which one is suited for you is difficult to say without more information. If the option's available ask if you could spend a week in each role; then pick the one you found more challenging.

/edit: what I missed was your 4 years experience. If you like programming, but find the job boring, then rather as someone suggested find a better programming job (don't get pushed into alternatives if that's not where your interest is).

 

[gkm]

I agree, cguy gave very good advice.

Also, if maybe possible, you can try to job shadow the two teams for a day each. That might give you a better idea than what us random people on the internet knows about the two positions.

 

[initroot]

I'm going to assume that "cyber security" in the context of a bank means that they offered you the opportunity to join their pentesting team. If that is not the case, most of this post is probably irrelevant. (I started writing this post before OP clarified).

TL;DR: Being a pentester is very hard and very rewarding. Do it if you are a hacker at heart, and if enterprise dev will be too monotonous for you. Don't do it if you're looking for a slower pace, easy going job, or don't have the will/drive.

This is the same choice I had to make a few years ago. Only in my case the pentesting position came with a considerable pay cut, because I would be joining a team with a very different skill set (that I didn't have). That is the first point that I would like to make: dev != pentesting. You may be working with some of the same primitives, but your approach and mindset is completely different. Just about the only dev you'll do is quick, ad-hoc scripts/tools to help you in your pwnage.

It looked to me like it would be a win in the long run: I would come out a couple of years later either as a skilled infosec professional (if I loved it), or go back to dev with specialised infosec knowledge and experience. Point number 2: Infosec is not a niche industry. It's very rapidly increasing in both importance and size. Just search for some infosec spending statistics.

I went for it, because at the time I had few commitments and dependants that would be affected by the pay cut (i.e. I was young and single ). So the risk for me was pretty low. [Side note: at the end of the day infosec is all about risk]

As I mentioned before, it was a whole different ball game. The amount of stuff to learn (theory, methodologies, processes, tools, ...) is immense. On top of that, you need to stay up-to-date with the news; as a pentester it is expected of you to know about the latest attacks and vulnerabilities out there. You have to be a sysadmin to know what mistakes sysadmins make. The same goes for devs, network admins, devops, ... You have to know it all. And in an evil way.

Even with all of that, it was incredibly fun! The rush of popping a shell on a target machine, or getting onto a box deep in a network, is something I've not experienced in development. The lows are pretty much report writing, and realising how screwed our society is with its reliance on ICT.

I'm now back in a kick-ass dev job, although still in the infosec space (trying to ease the above mentioned reporting). The primary reason for my return is probably that I never was quite good enough, and after a while I wanted to go back to building rather than breaking. Basically, I've come to realise that I am a dev. I do not regret my time as a pentester at all, since I believe I'm way better off for it.

This was at a great local pentesting company (there are a few), so I don't know how the experience would translate to a banking environment, other than some anecdotes from my pentesting colleagues that came from the banking and accounting industries: it's less exciting at the banks since you're mostly working on the same handful of systems (not a completely different client and/or industry every other week), but the pressure is also less.

What is clearer is that infosec is a whole lot more fun than enterprise software development in the financial/banking sector... and that is probably where your career will stay if you stay a Java dev. If you're happy with that, stick to it. Salary-wise I think pentesters are similar to devs, although the scarcity of senior pentesters should push up the upper edge of their salaries considerably. I can't back that up, though.

So in general it looks like cyber security here just refers to pen-testing etc..
You can't pretend the governance side doesn't exist. Unfortunately the companies looking at pen-testers would mostly be corporate based. There's a need to understand the technicality as well as to be able to handle the governance side, after-all in most cases you'll be aiming for management positions after a while.

Blackhat conventions are nice, even some of us IS Auditors get to attend, however we are by no means only concerned with just cyber security.

My advice to the OP would be to go into IS auditing if possible and then move into the security field.

 

[HavocXphere]

idk...the cyber expert I ran into thus far talk a big game...but I have a sneaky suspicion that some of them can't code. Like not a single line. Yet its very buzzwordy at the moment to the slick powerpoint crew pitches themselves as such.

 

[Hamster]

idk...the cyber expert I ran into thus far talk a big game...but I have a sneaky suspicion that some of them can't code. Like not a single line. Yet its very buzzwordy at the moment to the slick powerpoint crew pitches themselves as such.

The cyber expert the bank got to give us training was nothing more than a script kiddy with Kali Linux :/

 

[HavocXphere]

The cyber expert the bank got to give us training was nothing more than a script kiddy with Kali Linux :/

Yeah its sketchy. Though I suppose OP is aiming for something more technical than the whole "consultant w/ powerpoint" type gig.

 

[Pho3nix]

The cyber expert the bank got to give us training was nothing more than a script kiddy with Kali Linux :/

PM me a name please...

 

[Hamster]

PM me a name please...

I can't remember his name. He was a consultant from an external security firm. We all rocked up with our laptops and was given a USB dongle with Kali on it. We booted from it, opened one app and clicked some buttons to brute force attack a server, intercept http requests etc.

 

[HavocXphere]

dongle with Kali on it. We booted from it, opened one app and clicked some buttons to brute force attack a server, intercept http requests etc.

oh snap...straight out of CSI hollywood.

The whole thing is frustrating to me. I'm not in IT either by profession or skill...but I can code enough to say do a neural net from scratch or say brute force a LAN pass from scratch (at a push). So just enough to know when someone is talking kark.

Problem is...not being in a dev shop = pretty much anyone selling themselves as IT falls into said kark category.

 

[[)roi(]]

Some security "experts" aren't

Our security auditor is an idiot. How do I give him the information he wants?

A security auditor for our servers has demanded the following within two weeks:

• A list of current usernames and plain-text passwords for all user accounts on all servers
• A list of all password changes for the past six months, again in plain-text
• A list of "every file added to the server from remote devices" in the past six months
• The public and private keys of any SSH keys
• An email sent to him every time a user changes their password, containing the plain text password

We're running Red Hat Linux 5/6 and CentOS 5 boxes with LDAP authentication.

As far as I'm aware, everything on that list is either impossible or incredibly difficult to get, but if I don't provide this information we face losing access to our payments platform and losing income during a transition period as we move to a new service. Any suggestions for how I can solve or fake this information?

The only way I can think to get all the plain text passwords, is to get everyone to reset their password and make a note of what they set it to. That doesn't solve the problem of the past six months of password changes, because I can't retroactively log that sort of stuff, the same goes for logging all the remote files.

Getting all of the public and private SSH keys is possible (though annoying), since we have just a few users and computers. Unless I've missed an easier way to do this?

I have explained to him many times that the things he's asking for are impossible. In response to my concerns, he responded with the following email:

I have over 10 years experience in security auditing and a full understanding of the redhat security methods, so I suggest you check your facts about what is and isn't possible. You say no company could possibly have this information but I have performed hundreds of audits where this information has been readily available. All [generic credit card processing provider] clients are required to conform with our new security policies and this audit is intended to ensure those policies have been implemented* correctly.

....

You can find the full dialog here:
https://serverfault.com/questions/2...ot-how-do-i-give-him-the-information-he-wants

 

[schuits]

Don't bother with BBD, we're all sitting at the banks anyway

Not all of us.

 

[Hamster]

Not all of us.

Bank Bank en Donnerse bank

Then you are either government, insurance or telecoms. Which is it?

 

[schuits]

Bank Bank en Donnerse bank

Then you are either government, insurance or telecoms. Which is it?

Government? Heck no! Insurance, but going to a financial services client.
Worked at a bank once for previous employer. It's the only time I've gone to my manager and said NO! Never again.

Cyber crime could be a interest vocation, prolly not in SA though.

 

[Noah]

For cyber security maybe try OSCP.
Want to get around to actually finishing it but my windows privilege escalation is weak ;_;

https://www.offensive-security.com/...cp-offensive-security-certified-professional/

https://www.reddit.com/r/netsec/

https://www.reddit.com/r/netsecstudents/

 

[Pho3nix]

For cyber security maybe try OSCP.
Want to get around to actually finishing it but my windows privilege escalation is weak ;_;

https://www.offensive-security.com/...cp-offensive-security-certified-professional/

https://www.reddit.com/r/netsec/

https://www.reddit.com/r/netsecstudents/

This is what the head of department mentioned before he left.
Thanks.

A mini update. Java side was a sure thing so took that for the interim while my security one is being looked at. Hoping for the best but let's see how everything goes.

 

[Shellyb1]

This is what the head of department mentioned before he left.
Thanks.

A mini update. Java side was a sure thing so took that for the interim while my security one is being looked at. Hoping for the best but let's see how everything goes.

Why did the hod leave?