Answer the question
In order to leave comments, you need to log in
Who is in charge of information security?
Hello, I am a 2nd year student and got a job in a company that deals with information security (this is my first experience). They mostly write in Java. I would like to know how to work in such companies, and share your experience. What did they study, how much time did they devote to studying, what books did they read. Any comment, I will be glad.
Answer the question
In order to leave comments, you need to log in
I xs in what office you got a job there, which even WRITES CODE!!!!
I myself studied IB for 5 years, worked for about 1.5 years in my specialty. In the Russian Federation, information security for the most part comes down to the protection of personal data, tk. 152-FZ obliged everyone to protect personal data.
Here the situation is as follows: there are a number of documents from regulators + a list of certified software. You determine the class of the system according to regulatory documents, look at which threats from the list are relevant to you and buy software from the list for them. The setup is done according to the instructions, there is nothing complicated.
This was the end of 90% of my work.
For the remaining 10%, I had to dig into the settings of the server-wide software (such as IIS, etc.).
At the moment, nothing can be said because you did not explain anything specific.
One of the popular areas is the development of secure data connection systems, for example, based on vpn.
Creation of RNG based on biological data.
Maybe creating sandboxes to run applications safely, etc.
In general, the code is written and it is enough in the Russian Federation.
In this regard, surprised by the previous answer.
On the topic, the author first decide what will be included in your responsibilities.
We mainly deal with Public Key Infrastructure(PKI). Has anyone done this and written in Java?
Of course, I will not argue, but since the office is developing software for the implementation of PKI, then it will be necessary to write programs that will calculate (if I may say so) EDS from users or somewhere else. I believe that it will be necessary to study the standards that establish algorithms and procedures for calculating the value of the hash function, which are used in cryptographic methods for processing and protecting information,
including for electronic digital signature during transmission, processing and storage of information.
P.S. Although they will tell you at work today)
Since PKI and Java, then study the subject area on this topic (when you start to distinguish a certificate from a private key and from a signature, you are already imbued with the topic, a start has been made), also study BouncyCastle and OpenSSL. It does n't hurt to look inside ASN.1, see what's inside the CMS container, OCSP
request and response, signature, timestamp, ... Cyrillic and Unicode. lapo.it/asn1js is a better tool, you can easily figure out how to teach it to see missing OIDs.
Work with specific implementations of tools that are certified in our country. Deploy/reconfigure/remove the CA from CryptoPro five times. And you will be head and shoulders above the rest in PKI experience. Do the same on the basis of Microsoft Server, you will understand the differences. Try to make sure that the shell is from Microsoft Server, and the cryptographic provider is from CryptoPro, or LISSI, or VipNET.
A very interesting topic is the work of the client part of the PKI infrastructure on Android, there is a demand.
I believe that in order to begin to competently understand PKI for Linux and Android, you must first lay the foundations, working under Windows.
He worked himself in the defense of the state. secrets, boring work, not many tasks, if everything is planned correctly, the brain turns sour. As the first commentator wrote, the tasks are as follows:
1. determining the class of networks, cabinets, machines by the types of information being processed
2. systematic verification of compliance of protection methods with regulations
3. once a week checking the rights of users on which applications were submitted for connecting / disconnecting network resources during the week
4. issuing keys/certificates
5. checking server settings
6. a lot of paper work
7. a lot of on-site audits for subordinate regional branches
If you correctly distribute tasks, then work for half a day. No one will allow you to write your own software, because. all software must be written by certain offices, certified for the Russian Federation.
Then I switched to the work of a network administrator in a company for 5000+ people only in the region, a couple of hundred branches, I also see security work. Nothing changes, software and hardware for protection against unauthorized access are established by regulations, a step left and right is execution. Nobody ever writes anything in real life.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question