Home page logo

pen-test logo Penetration Testing mailing list archives

From: christopher.riley () r-it at
Date: Mon, 15 Dec 2008 10:24:11 +0100

andreg () gmail com@inet wrote on 12.12.2008 20:11:39:

Individuals are individuals.  Some are better than others, but nobody
is cookie cutter in our industry - let alone most other industries.

I definetely agree, and the training companies are taking advantage of 
this by offering more and more certification to prove that you can do the 
job. Sad fact is, that HR departements have no idea when it comes to 
hiring technical staff (I'm generalising here, but a majority of HR aren't 
up on security). When it comes down to it, the people doing the hiring 
like to see people with a CISSP (or insert other mainstream qualification 
here). What scares me, is that I know CISSP's and they'd be more likely to 
get a job as a penetration tester based on that single certificate, than 
somebody that actually knows there stuff.

I suggest that you read the full OSSTMM 3.0 for "real" aka
"operational security".  Also worth checking out would be NIST
SP800-30, NSA IAM/IEM/RTM, DOD DIACAP, and Andrew Jaquith's
SecurityMetrics book/blog/mailing-list.  There have been interesting
threads on the scadasec mailing-list lately as well.

I need to brush up on the new OSSTMM, but found the earlier version to 
read like stereo instructions. Still, with each version things move in the 
right direction. The NIST documents are all well and good, but using them 
in the EU is tricky. That's not to say they mean less here, but writing in 
a report that we tested based on NIST standards tends to get confused 
responses from the client. That said, we lack an EU guideline for security 
testing, so we should work with what we have.

I have read/viewed/listened-to SANS 502, 503, 504, 505, 508, 517, and
617 training material and know some that have attended those classes.
There are descriptions and outlines (more detailed than what is
available from SANS) for 560 on some wikis and blogs in various

The one thing I've learned about the SANS classes in the last year, is 
that it's not the course content that makes the course. It's the 
instructor. If you get a good instructor you can learn a lot more than if 
you get a bad one. This is true of all courses, but I find it particularly 
true of the SANS classes. I've also listened to a few SANS courses, but 
find that the detail really lies in the book content, the labs and the 
fact that they're updated at least 3 times per year (from my talks with 
SANS EMEA earlier this month anyway). That said, the SANS testing is a 
little too easy for my liking. 2 practice tests are given, and then a real 
final test. I'd like to see a practical involved. However the SANS Gold 
certificates seem to be a good idea. Incase you've not seen them, you have 
to write a paper to be reviewed by SANS and the community. Once it's 
reviewed and accepted you get Gold status for that certificate. I've yet 
to do this with my GPEN, but hope to work on it next year (given the 

I am positive that 542 is a joke/crap because I am a regular web
application blogger and guru.

The 4 day is too easy in my opinion... but they're changing to a 6 day 
class that will cover more advanced topics. From discussions with Raul 
Siles, they're changing a lot of the course to make it more in-line with 
expectations. I might check it out in Amsterdam next year.
Here is a good summary of 709:


Thanks for the plug... somebody does read my blog after all ;) Although 
I'd not use the work good, as my blogging skills leave somewhat to be 

I agree with your overall assessment of the certification industry. I 
think it's a neverending circle of new certification (paper or not). 
However until we educate the HR departments of this world, those people 
with a CISSP (or whatever the new buzz certificate is) will get all the 
interviews, and those with real world knowledge and experience will just 
get what's left.

Chris John Riley
<insert meaningless list of qualifications here>

Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908

Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. 
Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. 
Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for 
exchange of legally-binding communications.

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]