I do now as a consultant by selling bugs, and the level of risk I’d have to assume would be much higher. BK: How useful is in helping researchers understand and devise new attack techniques? Would you recommend fuzzing as a learning method, or is this an approach that only the learned and advanced researchers are likely to get mileage from? Miller: Every researcher should at least have fuzzing in their tool chest. It doesn’t take much skill to do it and it is usually the quickest way to get started looking for bugs. I’ve been doing it a long time, and someone just starting would probably already be 80-90% as effective as I am. Of course in the end, you always have to understand the target, whether it is to look for bugs or to figure out crashes, but fuzzing is a quick and easy way to start and at least can limit the amount of the target you need to understand. Some fuzzing tips: Start simple, add protocol knowledge/complexity as needed. Use multiple (types of) fuzzers for everyjob. Use “template reduction” when dumb fuzzing. Don’t forget to monitor your device for crashes, if you can’t tell when something goes wrong, fuzzing is a waste of time. BK: What has been the single most valuable learning tool for you in your work? Miller: I don’t know. I use tools, like , and various fuzzers, and friends, etc. But I wouldn’t say any of those are learning tools per se, but they are definitely tools of the trade you have to be able to know if you want to understand the flaws found in low level native code. (or equivalents for Windows like , etc) You need to be able to use those tools without thinking about them in order to show off your real skills. BK: What about programming languages? Do you recommend any specific ones? Miller: Well, I really do a lot of reverse engineering and binary analysis, which is unusual. For me, its important to know C/C++ because it is a language that allows you very low level access to memory and most closely equates to what you seein native code. However, for those starting out, it probably makes more sense to learn some languages more useful for web applications, like PHP or Java or something. The majority of jobs I come across in application security are web applications, so unless you’re a dinosaur like me, you probably want to become a web app expert. Web application security is a lot easier to get started in as well. There are a lot of vulnerable web sites out there and with very few exceptions, we haven’t seen the effort put into making web application exploits (, , etc) harder like we have with memory corruption exploits. BK: In your own experience, did you run into any dead-ends, avenues you wouldn’t have spent so much time going down if you had to do it all over again? Miller: Luckily, I didn’t waste much time on it, but one thing I’ve learned is that for the types of things I am interested in, certifications aren’t that useful for those looking for a job except to demonstrate very basicunderstanding of the subject. I have two certs — a CISSP and a . I was required to get the CISSP for a job I had and at the time and, while I did expand my breadth of knowledge (I know how tall fences should be, etc), I don’t think having a CISSP would particularly attract me to a candidate applying to work with me. I got the GCFA because I was interested in forensics, but even though I earned it, I’d never want me working on a forensics job because I only have a hobbyist’s level of understanding of the field. Otherwise, everything in this field is a dead end. You either never find vulnerabilities you’re looking for or you do and they get patched. Nothing in information security is forever, things change, and you have to be able to roll with that. BK: Can you talk about the importance of cultivating certain traits as an employee/hacker/researcher in this space? Eg.., Patience, persistence, resourcefulness, lateral thinking. I realize some of these come more natural to some than toothers, but there seem to be a set of traits common among many in this industry who do well, and those that I mentioned — in addition to perhaps “curiosity” — tend to go a long way. I’d be interested in your perspectives here. Miller: Information security, as a field, is pretty hard and demanding. For any field of that kind, you have to be pretty passionate and really love what you’re doing to be effective. Otherwise, you won’t be able to put in the time and effort necessary to be successful, at least not on the long term. It is really hard to measure this quality as an employer, but ask yourself if you’d still be looking for vulnerabilities if you were a millionaire. I still would, although it’d be from a beach somewhere, so I know I’m in the right place. Speaking of employers, information security is tough to get in because it is hard to evaluate a candidate on their expertise in a few hours. You can’t just look at where a candidate went to school to know if they’re good. Thisis why it is important as a job seeker to have a “portfolio” which highlights your skills like projects you’ve worked on, vulnerabilities you’ve found, talks you’ve given, etc. This will help separate you from everyone else. BK: What do you think is the best way to build that portfolio? Miller: In this field, certificates and diplomas don’t necessarily indicate skill. Only skill indicates skill and its hard to measure skill. I think of it as an artist or architect trying to get a job. It is less important what school an architect goes to than all of their plans and drawings they can show off. This was the problem I had coming out of NSA. I had nothing to point to that indicated I knew what I was talking about. I think the best way to build up one’s portfolio is a combination of CVE’s (bugs found) and research (measured in talks given). If I see a resume with a bunch of impressive CVE’s and a bunch of talks given at major conferences, it will definitely catch my attention. == Ifyou liked this interview, consider checking out : Tags: , , , , , , , , , , , , This entry was posted on Tuesday, August 7th, 2012 at 2:52 pm and is filed under , . You can follow any comments to this entry through the feed. Both comments and pings are currently closed.