1

I want to be a security researcher, but I can't find a fixed set of syllabus or sets of skills you need to know before hand in order to be called a security researcher.

It's very unambiguous, Is it that you have to a very good coder so you can write very complex algorithms or is it that you need to know a good amount of Assembly language or you need to know how to debug a kernel ?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Arif
  • 39
  • 2
  • it all depends on what you want to research .... I'm not kidding. Security is a vast field with many facets. What do you want to *research*? – schroeder Oct 13 '17 at 21:31
  • It's true that it's a vast field, that's my concern that how can I be a Security Researcher in OS for eg. without knowing Networking,cryptography ..etc For me, it looks like all is intertwined and finding exploits in OS is a tedious job and I don't know a fixed set of skills required for it. – Arif Oct 13 '17 at 21:32
  • 3
    As an OS researcher, do you need to be an expert on crypto? No. Do you need to be an expert on how that OS handles crypto? Yes. Do you need to be an expert in networking? No. Do you need to understand how that OS handles networking? Yes. Do you see where I'm going? You learn what you need to. – schroeder Oct 13 '17 at 21:39
  • 1
    And no, there are no set skills. You call yourself a 'researcher' when you have found something, not when you have a certain mix of skills. – schroeder Oct 13 '17 at 21:42
  • I get the picture, but is there anything like `Full stack developer` in Security Realm ? – Arif Oct 13 '17 at 21:46
  • 2
    Short answer: no – schroeder Oct 13 '17 at 22:01
  • The definition of full stack developer also depends on what type of technology you're working on. The skills required for a full stack web developer are different than those for a full stack desktop application developer. – Dan Landberg Oct 13 '17 at 22:01
  • So, we can say that the different Titles as Security Researcher in OS which is further divided in Servers,Desktops,Mobile OS ? And judging by the amount of information needed to find exploit is too deep, I do not understand that how a security researcher in OS would find exploit without knowing the inner workings of a particular OS which has NO to Obfuscated documentation. And I think the answer is in the title of the Job, you are hacker, you have to find ways with snippets of info here and there in developer's QA,blogs,other research findings etc.. – Arif Oct 13 '17 at 22:09
  • 2
    Possible duplicate of [How would one go about becoming a Security Researcher](https://security.stackexchange.com/questions/33064/how-would-one-go-about-becoming-a-security-researcher) – JOW Oct 13 '17 at 23:43

1 Answers1

3

Just do it.

If you want to become an Independent Security Researcher, you can. You can start now. Don't get hung up on whether or not you have the skills for it, just DO IT! The best time to plant a tree was 20 years ago. The second best time is now.

You have plenty of time to learn, and you will learn a lot in your journey.

JUST DO IT, ARIF!

Q&A Session

I want to be a security researcher, but I can't find a fixed set of syllabus or sets of skills you need to know before hand in order to be called a security researcher.

Like Schroeder says, once you've found something, you can start calling yourself an Independent Security Researcher. I'll take that a step further: once you get started, you are one. Whether or not you'd be successful, and whether or not you get paid for it, are both entirely different subjects.

  1. What value are you providing as an Independent Security Researcher?
  2. Are people willing to pay for your research, or are you happy to just do it?

It's very unambiguous, Is it that you have to a very good coder so you can write very complex algorithms or is it that you need to know a good amount of Assembly language or you need to know how to debug a kernel ?

Did you know a lot of Information Security experts are non-technical? No, really. This field is huge. You don't need to be overly technical, depending on what you want to work with.

Privacy & compliance is a huge field which doesn't require you to be technical. Even though people in this area aren't generally technical, I have tremendous respect for the individuals that I've worked with in this sub-specialty.

"Coding" and Assembly

If you're a good coder, Application Security would be a good fit, as would creating security-based programs. There's a lot of other things you can do as well. This is one area of the field with many sub-specialties.

If you want to reverse engineer programs, do malware analysis, or search for vulnerabilities and then create PoCs, then assembly is very useful (as is any language you want to create the exploit in). This is one area with many sub-specialties.

Full Stack Security Engineer? Nope.

Schroeder is right about there not being a "Full Stack Security Engineer." I say this despite dabbling in over 20 different sub-specialties in the Cyber Security "field."

I've got a lot of experience, but there's so much I don't know, and so much I'm lacking. There's no way in hell I'd try to sell myself as a Full Stack Security Engineer.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • 1
    +1. Great answer. Just start and see what takes your fancy, join hacker one and bugcrowd - see if you like web app research, if not why not not take apart a mobile app or install a packet analyser on your phone and see what's happening. Start looking at OS source, see if it interests you. – iainpb Oct 14 '17 at 10:29
  • how security research find malware?? how detect that system has infected?? – AminM Jul 13 '18 at 13:44