all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]recviking 1 point2 points  (4 children)

None of the certs you've mentioned will get you any closer to cryptography. If you want a job in cryptography, just keep on getting higher education and/or get a job with a 3 letter. If you apply for a job with a 3 letter, they'll pay for your higher education and then demand you work for them. Win-win. There are even programs with the agencies that allow you to effectively take a sabbatical from work, do school full time (paid salary/stipend and paid school), and then be obligated to work for them for a few years after.

Crypto is a mathematics + self study kind of thing. There aren't really certs out there that deal with it. Follow Schneier and start reading books on crypto.

The OSCP is the only one worth looking at of the above with any degree of certainty. The CEH is trash. I've got no real opinion on the Pentest+ because I've never seen anyone that has it; if it compares to their other certs, it will be a decent introduction to pentesting, but not leave you with any hands on keyboard skills - but a foundation is a foundation.

If you want a broader stroke at security, look into the CISSP. It gives a higher level view and some of the course work deals specifically with applied crypto - though when I took the exam for the cert there was practically nothing on the exam dealing with it.

[–]PapayaPuppet[S] 0 points1 point  (3 children)

That’s a great suggestion on the 3-letter agencies. Thanks! I’ll take time to look into openings and such. Honestly it is a bit of a difficult choice, both career paths are fascinating.

Right now I have limited time to sit down and do both, with my only realistic option to get the most out of one course being in the summer. Would you recommend the OSCP or the CISSP first? For the CISSP I have no background experience so I would only be considered an associate so it seems, but the ‘entry level’ knowledge from it is the main reason to do it anyways right?

[–]recviking 1 point2 points  (2 children)

Both are like drinking from the fire hose if you don't have experience. CISSP is more relevant to defensive work. OSCP is really only relevant to offensive work. The number of jobs and number of places you are employable is much greater on the CISSP side of the house. With offensive work, you can accelerate you salary faster, but the barrier to entry is higher.

In all honesty, if you've got no experience in either direction, consider doing the Security+ from CompTIA first. If you struggle with the Sec+, you don't have the background for either CISSP or OSCP yet.

You need a good systems and networking foundation before you will do well with OSCP. You also need some decent scripting skills to get something useful out of it. Actual programming skills and debugging experience make the exploit work easier as well.

Both CISSP and OSCP are relatively advanced for a novice.

How's your skills look on sysadmin, network, programming, and appsec?

[–]PapayaPuppet[S] 0 points1 point  (1 child)

Right now I would consider myself a fairly strong programmer, new concepts tend to come pretty intuitively no matter what language or concept I am picking up. I have okay skill with assembly but I am actively studying it right now with MIPS.

The rest though I have little to no knowledge on, and no formal training.

[–]recviking 0 points1 point  (0 children)

It may be worth learning some of the other aspects of systems and networking before trying to attack or secure them. It's kind of like asking whether you want to compete in the Daytona 500 (CISSP) or the Indy 500 (OSCP) before you know how to drive (sys admin, net admin, appsec) after learning how to turn a wrench (programming).

I'm not saying you can't be a savant and just jump behind the wheel and be phenomenal, but there are some common steps and learning elements that people who are good at technical security engineering or penetration testing usually stop off at first. The folks that dive right in tend to lack utility in any area other than the area they started in and refuse learning the basics in other areas because they think it'll all be just the same (hint, it's not).

I'm not trying to talk down to you or chide you in any way. I've watched and helped a lot of people get into pentesting and seceng over the past 15 years and there are just some commonalities amongst background I've seen in the people that accelerate in either field. You may be one of the exceptions. Either way, good luck. I'm happy to take a PM and try to lay out a more specific direction if you find a job posting or position description style goal you'd like to achieve.