5 replies to this topic

[chemist]

The story:
I have been a functional tester for quite some time and I always had an affinity for the more technical parts of it. As such I have quite some (high-level) knowledge about various OS's, DB's and applications. This year I was offered the chance to specialize in security testing; a change I grasped with both hands. Since you can't do everything at the same time and experts on networking security exist longer then I live I decided to focus on (web) application securty at first. This area is still in development and my skills so far are best applicable in that area. I figured I can always grow into the field of networking security, but needed to scope things first in order not to drown in information.

The scope:
My initial scope will be attacks that can be initiated from an application. So all sorts of XSS, CSRF, SQL/command/code injections, authentification attacks, etc, etc, etc. Things like wireless hacking, direct (web)server or database attacks (e.g. via telnet) or direct networking attacks (like CISCO routers etc) will not be my main focus. I understand that you cannot seperate things as easily as I state here, but I hope you grasp my idea

The challenge:
Part of the training and getting nice assignments is certification. Due to limitations in time and location I started with the CEH program. Although it was fun and interesting, it focused too much on the networking parts for my liking. After receiving the CEH certificate I started to look around for the next training, but to my surprise I could not find any real 'application security' training. Most courses I stumbled on upon still only have a few modules on application security and many more on e.g. windows password hacking.

The question:
Do you guys know any course that better fits my needs? At the moment I am settling for SSCP (or maybe CISSP) combined with an ECSA/LPT/GPEN/GCIH certificate, but I would like to get your feedback, ideas, and experience on this.

[stacksmasher]

GIAC?

CISSP is a joke. SANS has much more respect in the security community.

The story:
I have been a functional tester for quite some time and I always had an affinity for the more technical parts of it. As such I have quite some (high-level) knowledge about various OS's, DB's and applications. This year I was offered the chance to specialize in security testing; a change I grasped with both hands. Since you can't do everything at the same time and experts on networking security exist longer then I live I decided to focus on (web) application securty at first. This area is still in development and my skills so far are best applicable in that area. I figured I can always grow into the field of networking security, but needed to scope things first in order not to drown in information.

The scope:
My initial scope will be attacks that can be initiated from an application. So all sorts of XSS, CSRF, SQL/command/code injections, authentification attacks, etc, etc, etc. Things like wireless hacking, direct (web)server or database attacks (e.g. via telnet) or direct networking attacks (like CISCO routers etc) will not be my main focus. I understand that you cannot seperate things as easily as I state here, but I hope you grasp my idea

The challenge:
Part of the training and getting nice assignments is certification. Due to limitations in time and location I started with the CEH program. Although it was fun and interesting, it focused too much on the networking parts for my liking. After receiving the CEH certificate I started to look around for the next training, but to my surprise I could not find any real 'application security' training. Most courses I stumbled on upon still only have a few modules on application security and many more on e.g. windows password hacking.

The question:
Do you guys know any course that better fits my needs? At the moment I am settling for SSCP (or maybe CISSP) combined with an ECSA/LPT/GPEN/GCIH certificate, but I would like to get your feedback, ideas, and experience on this.

[chemist]

GIAC?

I noticed GWAS from GIAC but it is retired and I couldn't find a succesor ...
Furthermore I cannot really see the benefits from GIAC compared to 'just' taking direct training at SANS.
I will look into it further tonight.

CISSP is a joke. SANS has much more respect in the security community.

Maybe that is dependent on the country? I know that overhere in Europe CISSP is considered one of the best security related certificates. I admit that from a tester's point of view it has little to offer, but from a company's or employer's point of view it is certainly a plus.
The only thing that is not clear to me is how SSCP is regarded compared to CISSP; does it have the same respect (translation: is it the same level of BS ) or is it really "the poor man's CISSP" ?

[DidierStevens]

The story:
I have been a functional tester for quite some time and I always had an affinity for the more technical parts of it. As such I have quite some (high-level) knowledge about various OS's, DB's and applications. This year I was offered the chance to specialize in security testing; a change I grasped with both hands.

In your new security testing position, do you perform white-box or black-box testing? Is code-review one of your tasks?

I obtained the GIAC Secure Software Programmer - C (GSSP-C) certification (it also exists for Java). In a nutshell, you need to master secure coding practices for this exam. Mastering these practices is not only helpful for programmers, but also for code reviewers. But if you have no experience programming in C (or Java), then this certification isn't for you.

Neither is this certification for you if you are looking for training with a teacher. SANS offers no training for this certification, you've to prepare through self-study.

[chemist]

The company I work for is specialized in testing only; we do not provide coding services. As such the majority of the assignments I will get will be blackbox/graybox testing. I do not expect to get any code review assignments.

However, even in blackbox testing I think it is important to know some coding practises. When you know what language is used, it is easier to look for vulnerabilities. So I am also interested in secure coding courses. I will look at your suggestions !

[jason]

There's actually a new cert out now specifically for web app pen testing, the GWAPT. The class for it it DEV542.