Re: OSCP

[Wolf <wolfiroc () earthlink net>]

I've been in the business for 24 years and hold 5 certifications, 4 of which I hold in more value than the CISSP.

The only reasons I hold a CISSP are:
Company paid for the whole thing - Bootcamp and Test
Company paid bonus for CISSP.

I have seen a number of CISSPs who are not qualified and this reinforced my opinion the "great testers can pass a test".


-----Original Message-----
> From: jfvanmeter () comcast net
> Sent: Dec 18, 2008 6:34 AM
> To: pen-test () securityfocus com, pen-test-return-1078487582 () securityfocus com
> Subject: Re: OSCP
>
> I've followed the post for sometime, and I finally felt the need to jump in and share my 2 shiny centavos.
>
> I don't believe you need to have a cert to be committed to the "trade" I've worked in security for 20 years and I 
> don't have any certs and I'm very committed to security. I've worked with Solaris, Novell, Windows, DEC, DG, etc and 
> I've seen security from many different angels and shades.
>
> I believe certs demonstrate that a person has the ability to learn, but I feel that it should be back with experience.
>
> If your looking for items to put on your resume, so when some HR person does a search your pop to the top of the list, 
> I'm sure it works. 
>
> This is OMHA
>
> //John
> "When the legend becomes fact, print the legend." 
>
>
> -------------- Original message ----------------------
> From: "JB" <pentest () jitonline net>
> > I hold both a CISSP and a OSCP... here is why:
> >
> > The CISSP does not claim technical competence... it means that
> > 1. The holder knows at least a little about each of the 10 domains and has
> > proved it
> > 2. That the holder is committed to continuing security education
> > 3. The holder has held some role with security responsibilities for at
> > least 3-4 years
> >
> > It is an easy way to weed out people who are actually willing to put in
> > the time on security and really have the interest.
> >
> > A CISSP is NOT a technical certification
> >
> > The OSCP is a certification that demonstrate that the holder at least has
> > a semblance of a clue how to use common security tools. To pass the OSCP,
> > you actually have to PERFORM a penetration test - that means get SYSTEM or
> > root on multiple machines using only the basic tools (Nessus, Core Impact,
> > etc are not permitted, and the vulnerabilities do not have metasploit
> > modules written for them). It is not a point and click certification. That
> > being said... you do not have to be the most skilled hacker to get
> > certified.
> >
> > So why certify? Certification demonstrates active commitment to the
> > trade... not that the holder is the most worthy candidate for a job. That
> > is what the interview and recommendations are for!!! When I interview a
> > candidate for employment, I tend to ask situational questions to assess
> > whether the person before me actually knows what he is talking about, or
> > pulling it out of his a$$. I also ask the candidate to discuss challenges
> > that he has faced in his performance of security duties (and we have all
> > faced challenges). In the end, I will make my decision based not solely on
> > a certification. That being said... if I have two EQUALLY qualified
> > candidates (experience, interview, etc match up closely), then yes -
> > certification may become a tie breaker as the one who has spent the
> > additional time to obtain and maintain the certification shows a stronger
> > commitment to security.
> >
> > JB
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------