Breaking Into Cybersecurity with Open Source

Introduction

People often ask me how I got started in the field of cybersecurity. Well, I have a bachelor’s degree in electrical engineering and a master’s degree in cybersecurity, and I was in the right place at the right time. In other words, “hard work, student loans, and a touch of luck.”

The thing is, no one is really asking me how I got started; they want to know how they can get started. For most people, “pursue a graduate degree and cross your fingers” isn’t helpful advice. In fact, having been down that road, I don’t even think it’s the best advice1. Instead, I’ve started to recommend that individuals gain cybersecurity skills and experience by participating in open source projects. It still requires hard work (anything worth doing does), but it skips the expense, is accessible to everyone, and in my opinion, is a better way to develop and demonstrate the skills that are necessary to succeed in the cybersecurity industry2.

Millions of Unfilled Jobs (But No Opportunity)

Lots and lots of people are interested in pursuing a career in cybersecurity. College students and IT professionals frequently ask me how they can get started in cybersecurity. Internet forums are littered with people asking about what certifications are valuable, what steps they should take to work towards a career in cybersecurity, what schools they should go to, and so on. There are entire subreddits I no longer read because they were, at least at one time, inundated with people asking some variant of the question, “How can I start a career in cybersecurity?”

In spite of all of this interest, there are myriad unfilled jobs in cybersecurity. According to the Center for Strategic & International Studies, there are 314,000 unfilled cybersecurity jobs in the United States as of January 2019 [1]. The shortage of cybersecurity professionals is not going away. By 2021, there are expected to be 500,000+ unfilled jobs in the U.S. and 3.5 million unfilled jobs globally [2].

The Skills Gap

This contradictory state of affairs, where there are unfilled jobs even though candidates are eager to fill them, has been referred to as the “cybersecurity skills gap.” While there is some debate over the root cause of the skills gap, I believe it can be effectively summarized like this:

Credit: https://42hire.com

Companies are looking for people who already have real-world, hands-on experience. As a result, there are very few entry-level cybersecurity positions. This makes it difficult to “break in” to cybersecurity and acquire a basic skill set, resulting in a skills gap.

Traditionally, the industry has relied upon universities and other educational institutions to train the workforce, but educational entities have been largely ineffective at bridging the skills gap. Whereas a thorough understanding of cybersecurity requires practical, hands-on experience, educational organizations tend to focus on books and theory. Job seekers may graduate from cybersecurity programs with a lot of knowledge but still lack the practical skills and experience to be effective in the workforce.

As a cybersecurity professional who has a master’s degree in cybersecurity, believe me when I tell you that companies do not need more people with degrees or certifications in cyber/information security; companies need people with practical security skills who can be effective in their jobs on day one.

Bridging the Skills Gap with Open Source

If you need a job to get experience but can’t get a job without experience, how can you bridge the cybersecurity skills gap? Open source software provides a novel opportunity to gain industry-relevant experience because open source communities give everyone the opportunity to participate. Open source software projects allow their source code to be viewed, redistributed, and modified by everyone. This gives aspiring security professionals the opportunity to modify code, conduct tests, discover vulnerabilities, submit bug reports, write documentation, or perform any number of other tasks that are required during the software development life cycle. In other words, becoming an active member3 of an open source project is a good way to gain real-world experience and bolster your résumé.

Unlike when you apply for a job, nobody asks for your résumé when you submit a bug fix or updated documentation to an open source project. Your work is judged solely on its own merit. As a result, you can contribute to an open source project with no degrees, certifications, or prior professional experience. If you become an active member of a security-relevant open source project, you can bridge the skills gap without an entry-level job in cybersecurity.

By participating in security-focused open source projects, you can build skills that are relevant to the kind of job you want to have. Just pick a project that aligns with your interests and get started! If you’re interested in network security, consider contributing to projects like Wireshark, Suricata, or Nmap. Are you interested in operating system security? Consider contributing to the Kernel Self Protection Project or get involved with the security team of your favorite Linux distribution i, ii, iii, iv. People with an interest in malware analysis or reverse engineering should consider resolving bugs and other issues in radare2. If you’re interested in penetration testing or exploit development, you could contribute to projects like Metasploit. As you can see, for whatever security-related topic interests you, there’s a related open source project to which you can contribute.

Becoming an active participant in an open source project can benefit you in the following ways:

  1. You’ll gain in-depth knowledge about the software and the domain in which it’s commonly used. Additionally, you’ll get practical experience using that software.
  2. You’ll be able to list your accomplishments on your résumé, demonstrating that you have real, hands-on experience and valuable skills.
  3. Depending on the depth and extent of your contributions, prospective employers may view you as a subject matter expert.
  4. The people interviewing you for your dream job probably use the open source project to which you contribute. They may feel a sense of gratitude towards you for maintaining software that they use every day.
  5. Some open source projects are backed by corporations and have dedicated security teams. By becoming a community member of a project’s security team, you’ll make yourself a very attractive candidate if a security job opens up at the corporation backing that project.
  6. Your contributions will demonstrate that you’re a self-starter and a team player, two qualities (or buzzwords) that appear in most tech-related job postings.
  7. Contributing to an open source project shows that you are autodidactic, which is a quality that is essential to success in the technology industry.

Conclusion

So, this is my challenge to you: Don’t just get your foot in the door; kick down the door. Don’t sit around hoping to get lucky or studying theory out of books. Don’t expect someone to overlook your lack of experience and offer you a job because of your charm and charisma. Create your own internship and gain the skills you need by actively participating in an open source project.

References

  1. https://www.csis.org/analysis/cybersecurity-workforce-gap
  2. https://www.csoonline.com/article/3200024/cybersecurity-labor-crunch-to-hit-35-million-unfilled-jobs-by-2021.html

Footnotes

  1. Everyone has a different opinion about how to get started in cybersecurity. This article is not suggesting the only path; rather, what I believe is a very effective path, with minimal financial outlay. It is based on my opinion and anecdotal evidence.
  2. This post describes an approach for acquiring new skills and improving your resume by contributing to open source projects. It specifically discusses why this is useful for people looking to break into infosec but could just as easily be written about machine learning, big data, or a number of other IT topics.
  3. When I suggest you contribute to an open source project, I’m not suggesting you pick a project and fix one or two bugs. I’m suggesting you establish yourself as an active member of a community who regularly participates in that community’s activities.