Penetration Testing mailing list archives
Re: OSCP
From: christopher.riley () r-it at
Date: Mon, 15 Dec 2008 10:24:11 +0100
andreg () gmail com@inet wrote on 12.12.2008 20:11:39:
Individuals are individuals. Some are better than others, but nobody is cookie cutter in our industry - let alone most other industries.
I definetely agree, and the training companies are taking advantage of this by offering more and more certification to prove that you can do the job. Sad fact is, that HR departements have no idea when it comes to hiring technical staff (I'm generalising here, but a majority of HR aren't up on security). When it comes down to it, the people doing the hiring like to see people with a CISSP (or insert other mainstream qualification here). What scares me, is that I know CISSP's and they'd be more likely to get a job as a penetration tester based on that single certificate, than somebody that actually knows there stuff.
I suggest that you read the full OSSTMM 3.0 for "real" aka "operational security". Also worth checking out would be NIST SP800-30, NSA IAM/IEM/RTM, DOD DIACAP, and Andrew Jaquith's SecurityMetrics book/blog/mailing-list. There have been interesting threads on the scadasec mailing-list lately as well.
I need to brush up on the new OSSTMM, but found the earlier version to read like stereo instructions. Still, with each version things move in the right direction. The NIST documents are all well and good, but using them in the EU is tricky. That's not to say they mean less here, but writing in a report that we tested based on NIST standards tends to get confused responses from the client. That said, we lack an EU guideline for security testing, so we should work with what we have.
I have read/viewed/listened-to SANS 502, 503, 504, 505, 508, 517, and 617 training material and know some that have attended those classes. There are descriptions and outlines (more detailed than what is available from SANS) for 560 on some wikis and blogs in various places.
The one thing I've learned about the SANS classes in the last year, is that it's not the course content that makes the course. It's the instructor. If you get a good instructor you can learn a lot more than if you get a bad one. This is true of all courses, but I find it particularly true of the SANS classes. I've also listened to a few SANS courses, but find that the detail really lies in the book content, the labs and the fact that they're updated at least 3 times per year (from my talks with SANS EMEA earlier this month anyway). That said, the SANS testing is a little too easy for my liking. 2 practice tests are given, and then a real final test. I'd like to see a practical involved. However the SANS Gold certificates seem to be a good idea. Incase you've not seen them, you have to write a paper to be reviewed by SANS and the community. Once it's reviewed and accepted you get Gold status for that certificate. I've yet to do this with my GPEN, but hope to work on it next year (given the time).
I am positive that 542 is a joke/crap because I am a regular web application blogger and guru.
The 4 day is too easy in my opinion... but they're changing to a 6 day class that will cover more advanced topics. From discussions with Raul Siles, they're changing a lot of the course to make it more in-line with expectations. I might check it out in Amsterdam next year.
Here is a good summary of 709:
http://c22blog.wordpress.com/2008/12/10/sans-sec709-developing-exploits-for-
penetration-testers-day-2/
Thanks for the plug... somebody does read my blog after all ;) Although I'd not use the work good, as my blogging skills leave somewhat to be desired. I agree with your overall assessment of the certification industry. I think it's a neverending circle of new certification (paper or not). However until we educate the HR departments of this world, those people with a CISSP (or whatever the new buzz certificate is) will get all the interviews, and those with real world knowledge and experience will just get what's left. Chris John Riley ------------------------------------------------ <insert meaningless list of qualifications here> ---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- RE: OSCP Al Rivas (Dec 03)
- Re: OSCP Taras P. Ivashchenko (Dec 18)
- Re: OSCP Pete Herzog (Dec 18)
- Re: OSCP christopher . riley (Dec 18)
- RE: OSCP Leach, Paul (Dec 18)