I am close to finishing a Computer Science degree and while I find software security really interesting, I have not been able to find any company hiring graduates for positions that specify working with software security. Is software security just something you stumble into later in your career?
Security consultant checking.<p>Candidates with some form of experience are often preferred. But the beauty of infosec is that that experience can be pretty much anything, it does not have to be relevant work or school experience.<p>Have some bug bounties, CVE's or exploits to your name, you'll get an interview. Have a certificate like OSCP to your name, you'll get an interview. Do writeups of Vulnhub machines and that might even be good enough.<p>But what seems to be the common theme among security people in nice jobs is that the effort came from them. They were self driven, this is what they do, regardless of whether they're paid for it.
And the reason is simple, this is a fast moving job, which often requires additional study and effort on a daily basis.
So show that you have this quality and take a very active approach to the start of your security career. It should work, everyone is hiring.
The reason you haven't found companies hiring graduates for security is partly because security, like most specializations, generally skews towards more experienced candidates, and partly because it's a relative niche.<p>I'm happy to help you via email if you'd like to get in touch. Practically speaking, my advice would be to pursue bug bounties, read as much as you can in the field and implement security measures in code to understand them deeply.<p>Plenty of the large and reputable security firms are in an "always hiring" state, even for graduates.
I work in product security. Early in my career, I often did bug bounties, CTFs/wargames, but I didn't really get into "software security" until I had spent some years doing some large scale production-level software engineering.<p>Software security is a big space. There are pentesters, exploit developers, researchers, application security people that work attached to product engineering teams, et cetera. What is it that you really want to do?<p>IMO to really understand how to break things and how things break, you need to be able to build things as well. Outside of very limited circumstances, you need to be able to communicate to product teams and other developers why a certain exploit class succeeded, what they can do to mitigate the issue in prod now, and what best practices to follow to mitigate the issue class in the future.
If I were you, I'd connect directly with people working in security, either security for a "normal" company or working for a security company.<p>I can believe if you say that job posting is slightly biased towards senior positions, but I'm sure you'll find good opportunities easily, it's a very specialized job and it's hard to find good people.<p>If you let managers (or hr) know that you exist, a position will appear.
Being in a somewhat similar position (looking for my first 'real' job in the field of security),
I have more or less the opposite problem.<p>After setting up a profile on sites like Xing (works best for Germany) or Linkedin and adding some relevant buzzwords, you get basically swarmed by recruiters. The offers from recruiters might not be the most interesting, but you still can use them to get some information and feedback.<p>Just show that you have a personal interest in security.
For Example I have myself participated in a bunch of bug bounties, hitting most of the big ones
(Dropbox, Facebook, Google, Microsoft, Mozilla, Paypal, Twitter, ...).
While finding big problems in the higher payed ones might be trickier,
there are always companies that just offer a thanks or some swag.
An alternative would be to look at open source projects and try to get some CVEs.
Of course this depends on what field of security you want to end up in.
> I have not been able to find any company hiring graduates ...<p>Don't search job posts online, you must go where the fish are. Start attending live events, conferences, etc...<p>In Oslo, try OsloSec> <a href="https://www.meetup.com/OsloSec/?scroll=true" rel="nofollow">https://www.meetup.com/OsloSec/?scroll=true</a>
For me it was, yes. For you, though, it might not have to be. Can you get some security classes in your coursework? (Does your institution even offer any?)
Don't be afraid to shake things or the industry but always stay on the bright side. The line is very thin between: I am trying to help and improve security in contrast with I am threatening you. Some people or Business could feel threatened depending on the wordings used when approaching them.