如何在面试时保持冷静_如何保持冷静并成为安全工程师-CSDN博客

如何在面试时保持冷静

In January, I was invited by Flatiron School London to give a talk on how I switched careers from Business consulting to the Tech industry.

一月份，我受伦敦熨斗学校邀请，就我如何将职业从商业咨询转向技术行业进行了演讲。

They’ve also interviewed me on how to become a Security Engineer. I wanted to share it with everyone :-)

他们还就如何成为一名安全工程师采访了我。我想与大家分享：-)

您何时开始编码？ (When did you first start coding?)

My first experience with computers and programming was with a Sakhr AX-170 MSX in the mid 80s when I was in Saudi Arabia. It was really raw as there was no feedback from the machine and it would require me to go through dry computer books to learn more. The language was BASIC. This was also my first experience with video games and Konami games.

我最初的计算机和编程经验是在80年代中期，我在沙特阿拉伯期间使用Sakhr AX-170 MSX。这真的很原始，因为没有来自机器的反馈，这需要我仔细阅读计算机书籍以了解更多信息。语言是BASIC。这也是我第一次玩电子游戏和Konami游戏。

After that I continued to dabble with coding and different programming languages such as XHTML, CSS, HTML 4.0, ECMASCRIPT 3 and PHP (MAMP tech stack). I was creating simple static websites on video games or playing with the CSS on MySpace.com.

之后，我继续涉猎编码和不同的编程语言，例如XHTML，CSS，HTML 4.0，ECMASCRIPT 3和PHP(MAMP技术堆栈)。我在视频游戏上创建简单的静态网站，或者在MySpace.com上使用CSS玩。

您需要具备哪些资格才能获得安全保障？ (What qualifications do you need to get into security?)

It all depends on which branch of Cyber Security you want to work in. Some people have a Computer Science degree or certifications, and others are self taught.

这完全取决于您想在哪个网络安全部门工作。有些人拥有计算机科学学位或证书，而另一些人则是自学的。

There are several well-recognised and respected certifications for security professionals from organisations like (ISC)², ISACA or the SANS Institute.

(ISC)² ， ISACA或SANS Institute等组织为安全专业人员提供了几项广受认可和尊重的证书。

Cybersecurity and IT Security Certifications and Training | (ISC)²Prove you're a leader in your field with our globally recognized cybersecurity certifications. Help make the cyber…www.isc2.org

网络安全和IT安全认证和培训| (ISC)² 通过我们全球认可的网络安全认证证明您是该领域的领导者。 帮助建立网络…… www.isc2.org

Information Technology - Information Security - Information Assurance | ISACAISACA® is a nonprofit, independent association that advocates for professionals involved in information security…www.isaca.org

信息技术-信息安全-信息保障| ISACA ISACA®是一家非赢利，独立的协会，倡导专业从事信息安全... www.isaca.org

Information Security Training | SANS Cyber Security Certifications & ResearchSANS Institute is the most trusted resource for information security training, cyber security certifications and…www.sans.org

信息安全培训| SANS网络安全认证和研究 SANS研究所是信息安全培训，网络安全认证和……的最受信任的资源 。www.sans.org

The CompTIA is another great organisation where you can learn more about IT fundamentals, networks, cloud, linux, servers and security with different tracks for each profile.

CompTIA是另一个很棒的组织，在这里您可以了解有关IT基础知识，网络，云，Linux，服务器和安全性的更多信息，并且每个配置文件都有不同的途径。

CompTIA Security+ CertificationCompTIA Security+ sets the standard for best practices in IT security and risk management.certification.comptia.org

CompTIA Security +认证 CompTIA Security +为IT安全和风险管理的最佳实践设定了标准。 certificate.comptia.org

You can find some good MOOCs on Udacity, Coursera or edX.

您可以在Udacity，Coursera或edX上找到一些不错的MOOC。

Introduction to Cybersecurity | UdacityExplore the fundamental building blocks of cybersecurity.eu.udacity.com

网络安全简介| Udacity 探索网络安全的基本组成部分。 eu.udacity.com

If you are more interested in penetration testing, the Offensive Security Certified Professional would be a great certification to have.

如果您对渗透测试更感兴趣，那么“ 进攻安全认证专家”将是一个很好的认证。

Offensive Security Certified ProfessionalOffensive Security Certified Professional (OSCP) is the certification for Penetration Testing with Kali Linux, the…www.offensive-security.com

进攻性安全认证专家 进攻性安全认证专家(OSCP)是通过Kali Linux( www.offensive-security.com )进行渗透测试的认证。

You can also become the Security Champion of your team. This is what I did in my company. You can start in the development team and act as the Security Champion.

您也可以成为团队的安全冠军。这就是我在公司所做的。您可以从开发团队开始并担任安全冠军。

Security Champions Playbook - OWASPAccording to OWASP definition, Security Champions are "active members of a team that may help to make decisions about…www.owasp.org

安全拥护者手册-OWASP 根据OWASP的定义，安全拥护者是“可能在以下方面做出决策的团队的积极成员： www.owasp.org

You will be an active member of the team and may help make decisions about when to engage with the Security Team. You’ll act as the voice of security for a given product, feature or team, and assist in the triage of security bugs.

您将成为团队的积极成员，并可以帮助您决定何时与安全团队互动。您将充当给定产品，功能或团队的安全性代言人，并协助对安全性漏洞进行分类。

You can help implement an AppSec pipeline, raise tickets on JIRA and write some documentation on the Wiki or Confluence. You can collaborate within the network of Security Champions, attend meetings, be the go-to person, ensure security is not a blocker, get some training and help with QA and testing.

您可以帮助实现AppSec管道，在JIRA上获得票证并在Wiki或Confluence上编写一些文档。您可以在Security Champions网络中进行协作，参加会议，成为专家，确保安全性不会受到阻碍，可以接受一些培训并提供有关QA和测试的帮助。

Once you have the experience and if you’re interested in the industry, you can engage with your Security Team and try to make the move within your company, then get more experience and certifications as you go.

一旦有了经验，如果您对这个行业感兴趣，就可以与您的安全团队合作，并尝试在公司内部采取行动，然后获得更多的经验和认证。

A good start for the developers would be the Open Web Application Security Project (OWASP) where they will find everything related to software security.

对于开发人员来说，一个良好的开端将是开放Web应用程序安全项目 (OWASP)，他们将在其中找到与软件安全性相关的所有内容。

Usually developers might be familiar with the OWASP Top 10 Most Critical Web Application Security Risks, which is a good start

通常，开发人员可能熟悉OWASP十大最关键的Web应用程序安全风险，这是一个好的开始

Category:OWASP Top Ten Project - OWASPThe OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about…www.owasp.org

类别：OWASP十大项目-OWASP OWASP十大功能是一个功能强大的Web应用程序安全意识文档。 它代表着关于……的广泛共识 。www.owasp.org

It is worth having a look at other projects like the OWASP Top Ten Proactive Controls, which is a list of security techniques that should be included in every software development project. There’s also the OWASP Application Security Verification Standard (ASVS) Project, which provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.

值得一看的还有其他项目，例如OWASP十大主动控制，这是每个软件开发项目中都应包括的安全技术列表。还有一个OWASP应用程序安全验证标准(ASVS)项目，该项目为测试Web应用程序技术安全性控制提供了基础，还为开发人员提供了安全开发的要求列表。

OWASP Proactive Controls - OWASPThe OWASP Top Ten Proactive Controls 2018 is a list of security techniques that should be included in every software…www.owasp.org

OWASP主动控件-OWASP OWASP十大主动控件2018是每个软件中都应包含的安全技术列表... www.owasp.org

OWASP Application Security Verification Standard Project - OWASPThe primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the…www.owasp.org

OWASP应用程序安全验证标准项目 -OWASP OWASP应用程序安全验证标准(ASVS)项目的主要目的是规范……的应用范围 。www.owasp.org

You can join their local meetup in your city or their slack channel, and everyone is free to participate in their project. This could be a good starting point in contributing to an open source project and a great item to have on your CV and GitHub profile.

您可以参加他们在城市或闲暇频道中的本地聚会，每个人都可以自由参加他们的项目。这可能是为开源项目做贡献的良好起点，也是在简历和GitHub个人资料中拥有的一个好项目。

OWASP LondonOWASP (The Open Web Application Security Project) is a worldwide not-for-profit organisation focused on improving the…www.meetup.com

OWASP伦敦 OWASP(开放Web应用程序安全项目)是一个全球性的非营利组织，致力于改善网站的安全性 。www.meetup.com

I would also recommend to install Virtual Box and spin up a Kali Linux Box to get familiar with the suite of tools that professionals are using.

我还建议安装Virtual Box并启动Kali Linux Box，以熟悉专业人员使用的工具套件。

Our Most Advanced Penetration Testing Distribution, Ever.Home of Kali Linux, an Advanced Penetration Testing Linux distribution used for Penetration Testing, Ethical Hacking…www.kali.org

我们有史以来最先进的渗透测试产品。 Kali Linux的所在地，一个高级渗透测试Linux发行版，用于渗透测试，道德黑客…… www.kali.org

You can then practice your hacking skills legally on some websites, CTFs (Capture The Flag) and Wargames like hackthebox, pwnable.kr, OWASP Webgoat, or the OWASP Juice Shop Project.

然后，您可以在某些网站，CTF(Capture The Flag)和Wargames(例如hackthebox， pwnable.kr ，OWASP Webgoat或OWASP Juice Shop Project)上合法地练习黑客技巧。

There are a lot of websites and CTFs available to practice. Don’t be afraid to try and fail, you will learn a lot through the process.

有很多网站和CTF可以练习。不要害怕尝试失败，您会在整个过程中学到很多东西。

Hack The Box :: Penetration Testing LabsAn online platform to test and advance your skills in penetration testing and cyber security. Join today and start…www.hackthebox.eu

Hack The Box ::渗透测试实验室 一个在线平台，用于测试和提高您在渗透测试和网络安全方面的技能。 立即加入并开始… www.hackthebox.eu

OWASP Juice Shop Project - OWASPPwning OWASP Juice Shop is the official companion guide for this project. It will give you a complete overview of the…www.owasp.org

OWASP果汁商店项目 -OWASP所有权OWASP果汁商店是该项目的官方配套指南。 它将为您提供有关……的完整概述 。www.owasp.org

If your company has a training budget, you could try to get a subscription for your team for platforms like Immersive Labs, Avatao or Secure Code Warrior to have hands on experience through online labs.

如果您的公司有培训预算，则可以尝试为自己的团队订阅Immersive Labs，Avatao或Secure Code Warrior等平台，以通过在线实验室获得经验。

Cyber learning reimagined | Immersive LabsImmersive Labs is the world's most advanced cyber skills development platform. We are the cyber skill experts, helping…immersivelabs.co.uk

重新构想网络学习| Immersive Labs Immersive Labs是世界上最先进的网络技能开发平台。 我们是网络技能专家，可以帮助... immersivelabs.co.uk

Secure Code Warrior | Learn secure software developmentSecure your code from the start with gamified, scalable online security training for software developers.securecodewarrior.com

安全代码战士| 学习安全的软件开发 通过面向软件开发人员的游戏化，可扩展的在线安全培训，从一开始就保护您的代码。 securecodewarrior.com

Finally you can register on crowdsourced cybersecurity platforms like BugCrowd or HackerOne where you will join a pool of security researchers, try to find bugs/vulnerabilities on commercial websites, and get paid for it. Depending on the company, you can get simple kudos or a sticker up to good monetary rewards if the vulnerability found is critical.

最终，您可以在众包的网络安全平台(例如BugCrowd或HackerOne)上注册，您将在其中加入一群安全研究人员，尝试在商业网站上查找错误/漏洞并为此付费。如果发现的漏洞很严重，根据公司的不同，您可以获得简单的荣誉或贴纸，以获得丰厚的金钱回报。

Bugcrowd | #1 Crowdsourced Cybersecurity PlatformWith a powerful platform and team of experts, Bugcrowd connects organizations to a global crowd of trusted security…www.bugcrowd.com

Bugcrowd | ＃1众包的网络安全平台 Bugcrowd拥有强大的平台和专家团队，可将组织与全球范围内的受信任安全性联系起来... www.bugcrowd.com

Bug Bounty - Hacker Powered Security Testing | HackerOneHackerOne develops bug bounty solutions to help organizations reduce the risk of a security incident by working with…www.hackerone.com

Bug赏金-黑客支持的安全性测试| HackerOne HackerOne开发错误赏金解决方案，通过与……合作，帮助组织降低安全事件的风险。

您会给我们的学生什么建议？ (What advice would you give to our students?)

Set goals and be really disciplined. There’s always something new to learn in this industry as it is constantly evolving and fast-paced. Companies need to address the cyber skills shortage, so there is a lot of demand.

设定目标并严格遵守纪律。随着行业的不断发展和快速发展，在这个行业中总会有一些新的东西要学习。公司需要解决网络技能短缺的问题，因此需求量很大。

The same tips for the Tech industry can apply to Cyber Security. Blogs are a great resource to learn more on application security, network security, threat modeling, incident/response, security operations center, red/blue/purple teaming, etc.

针对技术行业的相同技巧可以应用于网络安全。博客是了解有关应用程序安全性，网络安全性，威胁建模，事件/响应，安全操作中心，红色/蓝色/紫色分组等的重要资源。

Follow the organisations and the people involved in this industry on Twitter. This is the best way to get the latest news, breaches, white papers, reports, events, conferences, meetups, etc.

在Twitter上关注该行业的组织和人员。这是获取最新新闻，漏洞，白皮书，报告，事件，会议，聚会等的最佳方法。

YouTube has also great channels to follow (Troy Hunt, Security Weekly, LiveOverflow, HackerSploit, IppSec, IT Dojo, OWASP, DevSecCon, BugCrowd, HackerOne, AWS, etc.).

YouTube还有很多值得关注的渠道(Troy Hunt，《安全周刊》，LiveOverflow，HackerSploit，IppSec，IT Dojo，OWASP，DevSecCon，BugCrowd，HackerOne，AWS等)。

LiveOverflowjust a wannabe hacker... -=[ ❤️ Support me ]=- Patreon per Video: https://www.patreon.com/join/liveoverflow YouTube…www.youtube.com

LiveOverflow 只是一个 想要 成为黑客的人...-= [❤️支持我] =-每个视频都有Patreon：https://www.patreon.com/join/liveoverflow YouTube… www.youtube.com

HackerSploitAbout HackerSploit HackerSploit is a Cybersecurity training and consulting company that specializes in: Cybersecurity…www.youtube.com

HackerSploit 关于HackerSploit HackerSploit是一家网络安全培训和咨询公司，专门从事以下方面的工作：网络安全… www.youtube.com

IppSecYou probably know about my channel. Here's a bunch of other content I enjoy. Patreon Pages of Cool People…www.youtube.com

IppSec 您可能知道我的频道。 这是我喜欢的其他内容。 酷人的Patreon页面… www.youtube.com

IT DojoIT Dojo is an IT Training and Consulting company that has a primary focus on cybersecurity, information assurance, and…www.youtube.com

IT Dojo IT Dojo是一家IT培训和咨询公司，主要致力于网络安全，信息保证和…… www.youtube.com

DevSecConDevSecCon is a conference that features talks and workshops about DevSecOps - a new approach that thrives to embed…www.youtube.com

DevSecCon DevSecCon是一个会议，以关于DevSecOps的讲座和讲习班为特色，DevSecOps是一种新兴的可嵌入的方法…… www.youtube.com

BugcrowdLearn more about security, testers, and the bug bounty through Bugcrowd's official YouTube Channel. Bugcrowd provides…www.youtube.com

Bugcrowd 通过Bugcrowd的官方YouTube频道了解有关安全性，测试人员和bug赏金的更多信息。 Bugcrowd提供… www.youtube.com

HackerOneHackerOne is the no.1 bug bounty and vulnerability disclosure platform, connecting organizations with the world's…www.youtube.com

HackerOne HackerOne是 排名 第一的Bug赏金和漏洞披露平台，它将组织与世界各地的企业建立联系。www.youtube.com

Join meetups where you can get more insights. OWASP and ISC2 have their own chapters. Ladies of London Hacking Society (LLHS) is a great meetup for women in cybersecurity.

加入聚会，您可以获得更多见解。 OWASP和ISC2有自己的章节。伦敦黑客协会(LLHS)女士是网络安全领域女性的绝佳聚会。

LLHS Ladies of London Hacking SocietyAn offensive & defensive technical security meetup for women.Women centric not women exclusive, Men who want to give a…www.meetup.com

伦敦黑客协会LLHS女士一场针对女性的 进攻性和防御性技术安全聚会，女性为中心，而不是女性专属，男性谁愿意付出代价... www.meetup.com

Look on websites like meetup.com or eventbrite.com. You can also attend some free cybersecurity events or conferences.

看起来像网站meetup.com或eventbrite.com 。您还可以参加一些免费的网络安全事件或会议。

Don’t forget that security should be involved at every level, try to push left during the software development life cycle, don’t be afraid to engage with your security team in your company or the security community online.

不要忘记安全性应该涉及到每个级别，不要在软件开发生命周期中向左推，不要害怕与公司或在线安全社区中的安全团队互动。

And even if you don’t want to follow a career in cybersecurity, knowing a little bit more on that topic will make you a more well rounded software engineer.

即使您不想从事网络安全事业，也可以对这个话题多一点了解，从而使您成为一名更加全面的软件工程师。

生活给你的最重要的教训是什么？ (What is the most important lesson life has taught you?)

I have a motto which is stay curious, keep on hacking and make it happen. But the most important thing I’ve learned is that passion and grit are fundamental.

我的座右铭是保持好奇心，不断入侵并实现这一目标。但是我学到的最重要的事情是激情和毅力是根本。

If you’re passionate about something, just do it, because it is worth it and don’t listen to what others would say. If some people tell you “no, this is silly, you can’t do it”, ignore them. You can do it if you put effort and time in it.

如果您对某件事充满热情，那就去做，因为这是值得的，并且不要听别人怎么说。如果有人告诉您“不，这很愚蠢，您无法做到”，请忽略他们。如果您投入精力和时间，可以做到这一点。

When I was in South Korea, I moved from being a Business Consultant to being a Software Engineer. The journey was not easy at all. I wanted to flip tables (and computers) too many times, but I was driven by challenges and, passion and grit kept me on track. I had a long term objective to reach.

在韩国的时候，我从担任业务顾问转变为担任软件工程师。旅途并不轻松。我想翻桌(和电脑)太多次了，但是我受到挑战的驱使，激情和毅力使我步入正轨。我有一个长期目标。

Don’t forget to share your struggles — you would be surprised by the number of people going through the same feelings as you during this journey. And don’t let imposter syndrome get you down, everybody is having it at different levels. Be optimistic, confident and creative.

别忘了分享自己的奋斗-在此旅途中，经历与您相同的感受的人数会让您感到惊讶。而且不要让冒名顶替综合症使您失望，每个人都处于不同的水平。保持乐观，自信和创造力。

Also don’t forget to share your victories/achievements, small or big, it doesn’t matter. Celebrate them when you reach a milestone. It is important to keep you motivated.

另外，别忘了分享您的胜利/成就，无论大小，都没关系。当您达到里程碑时，向他们庆祝。保持动力很重要。

Keep learning, keep meeting and sharing with people, and keep challenging yourselves!

不断学习，与他人会面和分享，并不断挑战自己！

More on my journey from Business to Tech :-)

索尼娅(Sonya)的旅程：面向全职开发人员的国际业务顾问 欢迎来到“科技界的杰出女性”，在这里我们会遇到在业界掀起波澜的励志女性。 medium.com

If you have other resources, share them below in the comments!

如果您还有其他资源，请在下面的评论中分享！

You can also follow me on Medium, Twitter, Github and LinkedIn.

您也可以在Medium ， Twitter ， Github和LinkedIn上关注我。