Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Hacker Stories, Certs, vs Projects
From: Pete Herzog <lists () isecom org>
Date: Tue, 01 Aug 2006 14:26:31 +0200


I think it's important to realize that security did pay the huge bucks back
before it became an general cert to pass, like CISSP.

See, back before all that, those in security earned their big bucks by
actually learning all they could in IT which at some point led them into
security.  We actually had no general security certs and I doubt it was
even a consideration for many of us since really, it was mostly down to
Microsoft or Novell at the time.  But it's true that many were unix admins,
engineers, and cable jockeys, teething on the foundation of systems and
networking BEFORE they got into security.  And that's why those guys STILL
make the big bucks. Because they're learned.

An industry that has been reduced to a cert means a profession with a lack
of real experience and applied knowledge. If one can be a security expert
without having to work for it (and here starts all the "I studied so hard
for that cert" talk that I'd rather avoid because 4 months of hard reading
is not the same as 4 years of banging head on a Linux box because of things
like the new kernel tweaks for kerberos are not working) then that will
become a profession over time with less intrinsic value.  Economics: if it
costs a lot in time and money to be a professional at something than those
people will generally be paid more for their work (and yes, I can also
think of exceptions but I'm also not making a broad rule here).

I still believe in applied-knowledge certifications as a vetting process
for existing security personnel.  I believe in applied-knowledge
certifications for recent graduates looking to prove they can hit the
ground running and be resourceful which saves a company money from position
training and taking time away from their more expensive veterans who will
need to show them the ropes.

Many people don't know but ISECOM didn't make the OPSA and OPST and become
a certification authority to get into the cert business.  We got hundreds,
maybe thousands of requests for it before we ever did it. People on the
OSSTMM project basically defined what they wanted people they hired to be
able to do before they started work.  It's also why we will not work with
training companies because this isn't the sort of certification that
training companies like (easy test, easy infrastructure, high pass rate).
So we avoid them because our models differ too much to have a good
relationship.  We only partner with companies who are in the security
business and want to teach their customers to understand their security
decisions on a consultancy or they teach university students to find better
job candidates or get smarter people placed in security jobs where they
understand how the work needs to get done.  The trainer's ulterior motive
is to make a smarter customer.  For them, our certifications do that. They
show a customer or educate a student in just how complicated, hard, and
demanding security can be because it makes them do it.

The first thing I say in any OPST or OPSA class is that when you realize
that there is still so much you don't know about security and you're hungry
to know as much as you can than I did my training right.


R. DuFresne wrote:
And I pointed out how in recent years, sec folks tend to not make the
money that others trained in as my example define, admins do to this
day. There was a time whence sec folks that could demonstrate real
skills, real hands-on experience far beyond whosing a cert number for a
passed CISSP exam made real money.  These days it's far from that...

Willl a cert get you past a clueless HR rep, sure, will it automatically
put you into hig paying jobs, far less likely these days.

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
  • Re: Hacker Stories, Certs, vs Projects Pete Herzog (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]