Start with eCPPT or straight to the OSCP?

I've read the threads I could find on taking the eCPPT before the OSCP, but the did not seem to apply to my situation.

My Background:
I have a BSE in Computer Science and Engineering and have been working designing and developing software and systems for 20 years. For the past 14 years I have focused on secure software and systems development, working with the DoD. I have experience writing C and C++ code, and did x86 assembler in college. At one point in time I ran the Unix security program for a state university, so I'm also familiar with most networking concepts, but have not worked implementing anything in many years.

My Motivation:
First off, I do not want to be a professional penetration tester. I will eventually get the OSCP cert, just because I want to and getting it is a goal of mine. In addition, I think that if I better understand penetration testing, I will be able to do better job developing secure software and systems. I do the standard OS and network scans mandated by the DoD, but the software systems I develop are not directly tested. Instead of just running a tool to identify my applications vulnerabilities I would also like to understand the why.

So, the question is, given my background, do I start with the eCPPT and then do the OSCP, or do I just start with the OSCP? Money is fortunately not a factor and I can afford to do both.

--
Paul

Find more posts tagged with

Comments

Paul_H

Forgot to add, that I already hold the CISSP and GSEC certifications.

TheFORCE

What type of applications are you developing or looking to secure and do pentests against? Are these web apps orcuatom applications that are used internally? I think SANS has a course of secure development, maybe it would be of interest to you.

BlackBeret

If OSCP is what you want go for it, there are no preq's. Honestly if you're looking more at the application side of it rather than the network side you might enjoy the OSCE more. It's a lot heavier on exploit development and abusing buggy programs. I didn't bother with eCPPT. If it had been around when I was first starting I might have looked at it, but no sense in spending time/money on walking if you're ready to run.

Paul_H

TheFORCE wrote: »

What type of applications are you developing or looking to secure and do pentests against? Are these web apps orcuatom applications that are used internally? I think SANS has a course of secure development, maybe it would be of interest to you.

I suite of tools I'm responsible for includes custom applications and web applications. All of my tools run on classified networks, so public attacks are not really an issue, but insider threats are a major concern. I have looked at SANS secure development course. Cost is an issue with that class, so taking it right now is not an option.

impelse

How type of learning person are you?

The one that go straight and fight a lot until you get something, until give you the click.

Or

The one that likes to build up the skill slowly until you reach your target.

If you like the option 1 then OSCP. If it is the second option then go first eCPPT > OSCP

chrisone

Doesn't look like you have any previous experience in the pentesting realm. There have been plenty of cases of individuals here without even the basic knowledge of pentesting that they get so frustrated with OSCP they end up quitting.

I would advise testing the waters in something a little less intense such as elearnsecurity PTS and getting the EJPT certification, CEH, or if you have the money SANS GPEN.

OSCP is know to crack skulls and be very hard for those even with basic pentesting experience.

Good luck!

McxRisley

OSCP is doable without hardly any pen testing experience, I am living proof of that BUT my experience does not corelate with the majority of those who take the course and I spent over 40 hours a week studying and practicing in the labs. There are experienced pen testers who have troubles with the OSCP even. Also all of the coding experience in the world will not help you with OSCP, there are some instances where it could benefit you but for the most part it won't really matter. So it really comes down to do you want eLearn to hold your hand? or do you want to do offsecs sink or swim method of learning?