Home page logo

pen-test logo Penetration Testing mailing list archives

credentials & experience (was: Re: OPST vs CEH
From: "Meritt James" <meritt_james () bah com>
Date: Fri, 13 Feb 2004 09:08:44 -0500

You realize, I hope, that to maintain many of the certifications it is
necessary to get, as well as document, precisely that training and
experience which you mention, as well as more.

wjnorth wrote:

Good points all.

Here's my two cents, which will probably get me flamed, but, whatever I've
got spam.

Certs in general, in my opinion, do not offer anything other then the
recognition that someone spent enough time to study material and answer
questions, and perhaps participate in a lab environment. I've ran into so
many countless people that have certifications ranging from GSEC, CISSP,
GCIA and a ton of others, that didn't know the difference between a syn
scan and a full tcp connect, or couldn't explain some of the current public
exploits and what they do to systems, or valued ISS over nessus, and nessus
over manual methods...the list goes on and on.

That is not to say that the certs are useless, far from it, especially if
one backs it up with practical experience. Having said that, let me also
say that while I hold these sentiments against certifications I also
believe they are worth something in that it provides people the ability to
get into security or whatever field their cert is for. They aren't useless,
in my mind, but for sure nothing beats experience.

Additionally I believe some of the SANS certs hold a bit more water then
others simply due to industry acceptance, awhile back someone might have
said the same for CISSP. Regarding the OSTMM, I only recently (within the
last year) found out about them, and have been doing security for quite a
while, but apparently not long enough to run across this very interesting


P.S. you'll notice no letters after my name, but I could list my four year
degree to offer some credibility. ;-)

You notice that I do.  I could list my BS & MS, too, but they really
wouldn't help in the arena of offering competent computer security
assistance to the State Department as well as other places.  They are
the "foot in the door" that require additional knowledge to perform once
entry is gained.

James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566

Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]