Breaking in to Security - Interim Summary
First, if you don't know what this summary is for, I suggest you go and read the project introduction at Breaking In Part 1 then come back and look at the great responses I've had so far.
For the rest of you, I'd like to say a huge thanks to everyone who has supported this project so far. The blog had over 1000 hits in the first day and within a week I've had over 200 responses to the survey. I'm hoping to be presenting my findings at BSides London in April so there is still plenty of time to answer the survey if you haven't already.
I'd also like to thanks the people who have come to me privatly suggesting other resources I should be looking at as part of this research, I'm compiling it all and will be going through it to pull out the juicy nuggets.
Seeing as I've got some really good stats so far I thought I'd give you a teaser of some of them. First off, certifications, are they important and if so, which ones should people be looking at?
Are certifications useful? | Count | Percentage |
---|---|---|
Yes - but only to get through HR | 102 | 48% |
Yes | 99 | 47% |
No | 11 | 5% |
A resounding yes but interestingly a fifty-fifty split on whether they are useful to get you through HR or actually useful in general.
Those who answered yes were asked to say which ones they thought were important. People could select multiple options so the numbers do not add up to 100%.
Answer | Count | Percentage |
---|---|---|
SANS/GIAC | 135 | 70% |
CISSP | 129 | 67% |
Offensive Security (PWB, AWE etc) | 57 | 30% |
EC-Council (CEH etc) | 51 | 26% |
CompTIA (Security+ etc) | 46 | 24% |
Other | 40 | 21% |
Vendor specific | 37 | 19% |
CHECK Team Leader (CREST/Tiger Scheme) | 24 | 12% |
CHECK Team Member (CREST/Tiger Scheme) | 23 | 12% |
Looks like SANS/GIAC and CISSP are by far the two most popular options with CHECK coming in at the bottom but seeing as CHECK is a UK exam this is understandable.
It would be nice to know the breakdown of which SANS courses people are thinking about when they answered as SANS covers everything from intro bootcamps through management security to hardcore low level technical courses.
And now, is programming important and if so, which language. Here are the results so far.
Do you have to be able to program to be a pen-tester? | Count | Percentage |
---|---|---|
No, but it helps | 126 | 59% |
Yes | 64 | 30% |
Other | 13 | 6% |
Don't know | 7 | 3% |
No | 5 | 2% |
The consensus here is that you don't have to be able to but it definitely helps. I've not had chance to look through what the people who ticked other had to say yet so I'll see what comes out of that for the final report.
Which language, a question always ready to start flame wars when asked on mailing lists.
If so, which would you recommend? (No flame wars please) | Count | Percentage |
---|---|---|
Python | 166 | 81% |
Bash Scripting | 163 | 80% |
Ruby | 90 | 44% |
C | 85 | 41% |
PHP | 79 | 39% |
Windows Powershell | 78 | 38% |
Batch Scripting | 78 | 38% |
Other | 58 | 28% |
C++ | 47 | 23% |
Java | 46 | 22% |
C# | 21 | 10% |
VB | 20 | 10% |
Lua | 18 | 9% |
I'm going to leave it at this and not comment, I'm sure that others will make enough comments on this.
I'll be going through the full results over the next few days, if I spot anything really interesting I'll do another post or tweet it out.
If you've not already participated then there is still plenty of time to express your views. Go to the questionnaire.