Options
eLearnSecurity Web Defense Professional (eWDP)
eth0
Member Posts: 86 ■■□□□□□□□□
Someone have eLearnSecurity Web Defense Professional (eWDP) https://www.elearnsecurity.com/certification/ewdp/ ? Any opinions 
?
? Comments
-
OptionsNovaHax
Member Posts: 502 ■■■■□□□□□□
Its pretty new. So probably not a whole lot of people out there who have done it yet. For what its worth though, I've done two of the AppSec certifications (eWPT and eMAPT)...and both were excellent. In my opinion, eLearn has the best connent out there for application security, so I'd wager to say this course is probably pretty solid.
-
Optionszxshockaxz
Member Posts: 108
I will second NovaHax. The eCPPT content was wonderful. I'm looking into their network defense course right now. I am willing to bet the eWDP content will provide more value than you anticipate.
-
Options
fuz1on
Member Posts: 961 ■■■■□□□□□□
I have it! It's excellent as most people have said. I'm in the All-Access Elite Package and all the coursework is very in-depth and comprehensive.
Edit: Here's a breakdown of the course:
1. Tools Intro: Kali, OWASP ZAP/OWTF
2. Info Gathering
3. Config Management
4. Authentication
5. Authorization
6. Session Management
7. Biz Logic Flaws
8. Data Validation
9. Cryptography
10. DoS
11. Web Service
12. ClientSide and Phishing
13. Error Handling
14. Applied Secure Coding Principles
15. Virtual Patching and Intrusion Detection
16. Securing Web Appstimku.com(puter) | ProHacker.Co(nsultant) | ITaaS.Co(nstultant) | ThePenTester.net | @fuz1on
Transmosis | http://transmosis.com | LinkedIn | https://linkedin.com/in/t1mku
If evil be spoken of you and it be true, correct yourself, if it be a lie, laugh at it. - Epictetus
The only real failure in life is not to be true to the best one knows. - Buddha
If you are not willing to learn, no one can help you. If you are determined to learn, no one can stop you. - Unknown -
OptionsxXxKrisxXx
Member Posts: 80 ■■■■□□□□□□
Hey eth0. I have the course material (haven't gone through all of it yet). I also haven't taken the exam. The course material is good. The only complaints I have is that the video content should've been edited a little bit more (in some cases your left with idle time). Content could of been cut out, things could of been sped up. Be sure to be familiar with PHP, as that's the language the course author will be walking you through.
Throughout the course your pretty much shown code and pointed out which lines are vulnerable. You are also shown how to pull off attacks against the code, then how to fix the code to mitigate the vulnerabilities. The course encourages secure programming techniques. You walk out of it knowing where (from a developers perspective) to look in your source code for possible flaws and how to harden them.
From a professional standpoint, it would've been nice to see something like Fortify or Vericode in the course. A bit more theory on Application Security in the Enterprise - not just from a code perspective, but something more in line with SDLC, Threat Modeling, Static/Dynamic Code Analysis and subject material covered in the CSSLP curriculum. You are going to walk out of eWDP knowing where to fix bad code, but it's not going to make you an AppSec Professional. -
Optionseth0
Member Posts: 86 ■■□□□□□□□□
xXxKrisxXx wrote: »Hey eth0. I have the course material (haven't gone through all of it yet). I also haven't taken the exam. The course material is good. The only complaints I have is that the video content should've been edited a little bit more (in some cases your left with idle time). Content could of been cut out, things could of been sped up. Be sure to be familiar with PHP, as that's the language the course author will be walking you through.
Throughout the course your pretty much shown code and pointed out which lines are vulnerable. You are also shown how to pull off attacks against the code, then how to fix the code to mitigate the vulnerabilities. The course encourages secure programming techniques. You walk out of it knowing where (from a developers perspective) to look in your source code for possible flaws and how to harden them.
From a professional standpoint, it would've been nice to see something like Fortify or Vericode in the course. A bit more theory on Application Security in the Enterprise - not just from a code perspective, but something more in line with SDLC, Threat Modeling, Static/Dynamic Code Analysis and subject material covered in the CSSLP curriculum. You are going to walk out of eWDP knowing where to fix bad code, but it's not going to make you an AppSec Professional.
I know structural PHP very good (and also websec on some mid-high level), so this sounds like this is good certificate for PHP developers to be good programmers and do secure products?:) -
OptionsxXxKrisxXx
Member Posts: 80 ■■■■□□□□□□
Absolutely, but the concepts/topics covered are universal and can be applied for any programming language.
-
Optionseth0
Member Posts: 86 ■■□□□□□□□□
xXxKrisxXx wrote: »Absolutely, but the concepts/topics covered are universal and can be applied for any programming language.
Thanks!
I see that you have following certificates "eCPPT (Silver/Gold), eWPT, GSEC, GCIH, GISP, GPEN, GWEB, OSCP, OSWP" and I have few questions. I can do this on PM but probably will be better there because someone else maybe will need this info too.
I have OSCP and today started eWPT (just because friend told me that eWPTX is f* boring and also lame made. I need some websec certificate because people who want cooperate with me still asking about my knowledge from websec because they don't see it in my experience, since I learned all in home by my self).
Which certificates from this that you have do you recommend in my situation? For example, is there some good point to do eCPPT after OSCP (I made it without biggest problems)? I have 2 targets, first is learing and second is just clients, so well known certificates are better. -
OptionsxXxKrisxXx
Member Posts: 80 ■■■■□□□□□□
eth0,
The main Web Application Penetration Testing certification that stands out right now is the GWAPT. Go ahead and finish up with the eWPT course and exam and get the certification. eLearnSecurity's Certifications will slowly start to gain recognition in the industry. GIAC's certifications are always going to look stellar to employers even if they're multi-question based open book. This is unlike their competitor certifications from Offensive Security and eLearnSecurity which offer the, 'hands-on' practical approach. The eWPT will look fine on a resume and you will find the exam to be a fun one. You're skilled technically, but eLearnSecurity only considers that 50% of the work when they grade. The remaining 50% will be how well your Penetration Test Report is.
Although I am a big proponent of eLearnSecurity, with you having your OSCP Certification, I don't recommend you venture off and waste your time with the eCPPT. You'll not only find content overlap (which you'll find in other Network Penetration Testing courses), but you're also going to find a similar challenge on the eCPPT Examination to what you tackled in your OSCP Exam.
I personally picked up the eCPPT Silver at the time a few months after receiving my OSCP. The examination at the time was web-based. I was given a free voucher by eLearnSecurity about a year later. The voucher was for a free attempt at the eCPPT Gold Certification Examination which accompanied eLearnSecurity's Professional Penetration Tester Pro v2 course (currently @ v3). I took a swing at the Gold Exam only having access to PTP v1 material at the time and was able to pass successfully. They highly recommended at the time that the students upgrade to their PTP v2 to receive the course updates to accompany certain topics the eCPPT Gold Examination requires. Sufficeth to say, having gone through PWB at the time, I had been exposed to enough Network Penetration Testing content to take on the Gold Exam heads on and come out on top.
I'm sure eWPTX v2 will end up being more impressive. Regarding a good Web Application Certification, if SANS SEC542 is not in your budget, I highly recommend waiting for the arrival of the highly anticipated course, Advanced Web Attacks & Exploitation. There have been nothing but rumors of the release of this course online by the end of the year at Black Hat. Offensive Security has ran the course there for the past couple years with a lot of success (literally selling out of course tickets within 3-5 days). If they're done working out whatever kinks, I've only heard rumors up to this point about them potentially releasing it by the end of this year with the course cost being around the same cost of Cracking the Perimeter.
If employers are wanting to see a Web App Security certification on your resume, I'd sign up for SEC542 and pickup the GWAPT. I highly advise waiting like the rest of us for AWAE though.
Continue teaching yourself and learning. Web App Sec is easy to practice at home, there's so many vulnerable web apps developers have intentionally coded insecurely (bWapp, Web Goat, Mutillidae, Damn Vulnerable Web App, etc). There's a lot solid content out there to get into it that could take you to that intermediate level to say the least. If you have anymore questions, feel free to shoot me a PM, or if you feel members from the forum will benefit by a response - post your questions. -
OptionsBodanel
Member Posts: 214 ■■■□□□□□□□
@xXxKrisxXx
AWAE online ?? Dude this is awasome. I was trying to figure out what cert to get but I discarded AWAE because trip costs are more than the course itself. If this is true than I'm sold. This is why posting this kind of info on a forum is very useful. -
Optionseth0
Member Posts: 86 ■■□□□□□□□□
xXxKrisxXx wrote: »eth0,
The main Web Application Penetration Testing certification that stands out right now is the GWAPT. Go ahead and finish up with the eWPT course and exam and get the certification. eLearnSecurity's Certifications will slowly start to gain recognition in the industry. GIAC's certifications are always going to look stellar to employers even if they're multi-question based open book. This is unlike their competitor certifications from Offensive Security and eLearnSecurity which offer the, 'hands-on' practical approach. The eWPT will look fine on a resume and you will find the exam to be a fun one. You're skilled technically, but eLearnSecurity only considers that 50% of the work when they grade. The remaining 50% will be how well your Penetration Test Report is.
Although I am a big proponent of eLearnSecurity, with you having your OSCP Certification, I don't recommend you venture off and waste your time with the eCPPT. You'll not only find content overlap (which you'll find in other Network Penetration Testing courses), but you're also going to find a similar challenge on the eCPPT Examination to what you tackled in your OSCP Exam.
I personally picked up the eCPPT Silver at the time a few months after receiving my OSCP. The examination at the time was web-based. I was given a free voucher by eLearnSecurity about a year later. The voucher was for a free attempt at the eCPPT Gold Certification Examination which accompanied eLearnSecurity's Professional Penetration Tester Pro v2 course (currently @ v3). I took a swing at the Gold Exam only having access to PTP v1 material at the time and was able to pass successfully. They highly recommended at the time that the students upgrade to their PTP v2 to receive the course updates to accompany certain topics the eCPPT Gold Examination requires. Sufficeth to say, having gone through PWB at the time, I had been exposed to enough Network Penetration Testing content to take on the Gold Exam heads on and come out on top.
I'm sure eWPTX v2 will end up being more impressive. Regarding a good Web Application Certification, if SANS SEC542 is not in your budget, I highly recommend waiting for the arrival of the highly anticipated course, Advanced Web Attacks & Exploitation. There have been nothing but rumors of the release of this course online by the end of the year at Black Hat. Offensive Security has ran the course there for the past couple years with a lot of success (literally selling out of course tickets within 3-5 days). If they're done working out whatever kinks, I've only heard rumors up to this point about them potentially releasing it by the end of this year with the course cost being around the same cost of Cracking the Perimeter.
If employers are wanting to see a Web App Security certification on your resume, I'd sign up for SEC542 and pickup the GWAPT. I highly advise waiting like the rest of us for AWAE though.
Continue teaching yourself and learning. Web App Sec is easy to practice at home, there's so many vulnerable web apps developers have intentionally coded insecurely (bWapp, Web Goat, Mutillidae, Damn Vulnerable Web App, etc). There's a lot solid content out there to get into it that could take you to that intermediate level to say the least. If you have anymore questions, feel free to shoot me a PM, or if you feel members from the forum will benefit by a response - post your questions.
So much thanks for your post! Yeah SANSes are not in my target since I am from Poland (and because of this also sorry for my great English skills...) and as you know I have around 1/3 salary that people from US/UK etc. To be honest this is my main problem because of what I have only OSCP from certificates (and my employer payd for it as for my first certificate in new pentester job). So around 1k$ is my limit now.
Basically I know websec, I have few 0days (like XSS filter bypass or SSRF) and few bug bounties done. I learned so much before some recruitment and now on eWPT I see that there is a lot same as in my notes, so this course looks nice and for sure I will learn some details same as on OSCP. Also good for me that language that I know in most is PHP, I think that I have very good knowledge about structural PHP.
I also little think about some admin certs like RHCSA and MSA, but still not sure. -
OptionsNovaHax
Member Posts: 502 ■■■■□□□□□□
I know structural PHP very good (and also websec on some mid-high level), so this sounds like this is good certificate for PHP developers to be good programmers and do secure products?:)
Ugh...PHP :-/...**shutters** -
Optionseth0
Member Posts: 86 ■■□□□□□□□□
Ugh...PHP :-/...**shutters**
Yeah, I know$ cat test.php
<?php
if ("1" == 1) {
echo "a".PHP_EOL;
} else {
echo "b".PHP_EOL;
}
?>
$ php test.php
a
