Home page logo

pen-test logo Penetration Testing mailing list archives

From: "Pete Herzog" <pete () isecom org>
Date: Fri, 13 Feb 2004 21:44:30 +0100


There seems to be some confusion on "certification" regarding the
OPST.  I hope I can clear this up here for most of you.

OPST and OPSA are accredited university classes for which we do
provide a certifying exam, aka: certification.  While the list of
universities providing this is growing, we also have training partners
who provide both a version of the university class in bootcamp or
similar style and those who provide only the exam with their own
pen-testing class before it.  I agree with the one poster who said
that you should be wary of certs that are based on their own classes.
Our classes are based on a public, free, peer-reviewed methodology,
even if it is one we publish. Additionally, anyone can teach their own
classes to provide the exams. We make no rules regarding the materials
except that we want to review them to assure the rules of engagement
are applied.

OPST is only one side of the coin teaching a professional security
testing class teaching a variety of techniques to ascertain the
security posture of a system or network, based on the OSSTMM.  As you
may or may not know already, the OSSTMM does not focus on penetration
per se and does not focus on vulnerabilites (bugs).  Its focus is
primarily testing misconfiguration and poor process for which
vulnerabilities are a sign for.  The other side of the coin is the
OPSA which focuses on what to do with the data you collected during a
test.  How to read the signs.

Together, the OPSA and OPST are a strong course in what a security
tester needs to know and be able to accomplish from estimate to final
report and client meeting (workshop).  It also includes the Rules of
Engagement which is as much a code of ethics for security testers as
it is for any company providing security.  Together the classes
accredit a person to provide official OSSTMM Audits valid for
insurance companies, government requirements, and any company who
needs practical security measures which can actually be measured and
repeated.  Companies who come to ISECOM are often looking for a way
for the OSSTMM to ease the burden of extensive interviews ISO17799
audits where it is more practical use tests in place of interviews (no
flames please as no one is looking to fully replace ISO17799 with
automated tests).  That is the certifying nature of OPST and OPSA- to
serve a purpose for accrediting professional security testers.

While you talk about the certifying process of SANS, CISSP, etc.,
please understand, for this, ISECOM has the academic alliance where we
integrate, for example, OPST and OPSA into ESADE's (www.esade.edu)
Business Information Security Class of the ESADE MBA program and La
Salle's (www.salleurl.edu) Masters Class in IT Security.  Here the
certifying process is on behalf of the university to complete where we
provide a part of the process.  And it's for this reason, the OPST and
OPSA Certificates carry both the La Salle and ISECOM seal.  Should
SANS, (ISC)2 or anyone else who may choose to offer the OPST or OPSA
then hat would not change our position on this.

For ISECOM, as for most, the process is learning, gathering
experience, and improving yourself.  A university degree, a
successfuly completed track, and well read and dog-eared security book
are all a part of the process.  Whether or not a certification is good
based on it being "hard" is fairly subjective.

I hope this clears up our position of ISECOM and "certifications" a
little better.


Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

-----Original Message-----
From: Patrick Prue [mailto:pprue () cogeco ca]
Sent: Thursday, February 12, 2004 05:07 AM
To: Bartholomew, Brian J; pen-test () securityfocus com
Subject: Re: OPST vs CEH

I do have to agree with Brian on the one point Track 4 is
not intended to
teach pen-testing.

I do hold the GCIH certification and have for a number of
years now the main
focus of the materials taught and the certification as I
view it is more
leaning towards the whole incident handling cycle , having
the knowledge of
the hacker techniques and exploits makes you a better
incident handler when
it comes down to looking at the root cause of the
compromise in the first

The certification process can be very rigourus and
challenging at times .
And as I see the original question poised I guess the whole
intent is what
exactly are you hoping to get out of it . The OPST
certification seems alot
more centered around the whole methodology of Pen Testing
and how to perform
it . Seemingly if this methodology was performed by many
pen testers they
should each turn out a very similar result and report when
drawing up the
final reports.

Just my 2 cents..

Patrick Prue

Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]