A question regarding best security related cert based on current circumstance

PashPash Member Posts: 1,600 ■■■■■□□□□□
Dear All,

I am posting here to ask you all "What is the best security related cert I can go for in my current circumstance?". A little info on me to assist with some answers:-

I am a DevOps Engineer for a payments gateway company (PCI-DSS is big for us). I am a volunteered security champion from the devops team. I love cryptography in general, always have and always will. I work on toolsets that I write in python/golang and I also help setup cloud related platforms, CI and CD platforms and I am heavily involved in the releasing of software into all of our environments, in an automated fashion. I do have an interest in hacking and pentesting in general. I am also a big believer in security to the left movement. DevSecOps is the future for me.

We have a security team in-house and I asked a colleague of mine which cert he recommends. He recommend the rather hardcore OSCP certification, which I had heard off before from a security meetup. I am not even against looking to switch into more of a security related role in the future. Especially in the payments sector.

I am just curious to what the security community recommends here.

Any help is appreciated.

Many Thanks,
DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.


  • EANxEANx Member Posts: 1,078 ■■■■■■■■□□
    Your question and answer had a lack of specificity. Do you want to break into the network and show vulnerabilities?

    Do you want to defend against people breaking into the network (and not showing you weak-points)?

    Do you want to manage the people doing #1 or #2 but attending meetings and keeping other people out of their business?

    Please be specific.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    I wan't to learn how to attack, to learn how to defend. I write a lot of web front/back end tooling. Behind these tools are sensitive systems/data and I wan't to make sure they do not get compromised.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • UnixGuyUnixGuy Are we having fun yet? Mod Posts: 4,280 Mod
    OSCO is hard core penetration testing and needs contentious dedication.

    Check out eLearnSecurity PTS (eJPT), it will introduce you to a lot of attacks, and you get to learn them hands-on in the labs. if you find it too easy and want to move on, then OSCP can be next!

    For general security knowledge, have you thought about CompTIA Security+ / CASP ?
    In Progress: MBA
  • fitzlopezfitzlopez PCIP,CCNA CyberOps,CySA+,Pentest+,Linux+, CSSLP,CISSP-ISSMP,CISM,CEH,ITIL F,Cobit F,ISO27K F Member Posts: 103 ■■■□□□□□□□
    Checkout the info on the following certs:
    SANS DEVXXX series
    PCI Professional
    Comptia CASP

    The CISSP-ISSEP sounds like it could apply but as I haven't read the book about that one, I could be wrong. I'm bumping reading that CBK to 2019. And you also need a valid CISSP to take it.
  • yoba222yoba222 Senior Member Member Posts: 1,230 ■■■■■■■■□□
    GCIH seems to fit the bill in my opinion, but only if the company is paying.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Thanks for the reading materials and suggestions. I did have a comptia Security+ many moons ago (MCSA 2003 elective) not sure if that is still even valid. I think as it was pre 2010 it might be. I am a security champion at work, have attended DevSecCon in London in 2017. I am pretty aware of most modern security threats. I am not afraid of a grind out study if it will really be beneficial. Ill have a review and think and see what to do.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • ottucsakottucsak Member Posts: 146 ■■■■□□□□□□
    DevOps Security Engineer role is beginning to spin up. We have an open position and I know that Prezi also has an open head. Instead of learning into another role, try to learn more about cloud security, securing/hardening infrastructure, security features of AWS and Azure, etc.
    I would recommend getting CCSK first instead of hacking related certificates.
  • TechGromitTechGromit GSEC, GCIH, GREM, Ontario, NY Member Posts: 2,042 ■■■■■■■■□□
    yoba222 wrote: »
    GCIH seems to fit the bill in my opinion, but only if the company is paying.

    I agree, the GCIH is a highly desirable cert with employers, it offers exposure to both pentesting, vulnerability scanning, and incident response. While it doesn't dive too deeply into any one area, it checks the most number of boxes for what your described. Once you have this, you can specialize in the specific area your interested in.
    Still searching for the corner in a round room.
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    How well do you know OWASP?

    If you are already in DevOps dealing with web...your experience is going to be most closely related to web app security. I suppose you could branch out and learn more about network / system pen testing...but you will look a lot better if you get very good at web app security. Certs like GWAPT, EWPT, OWASP (https://www.owasp.org/index.php/Category:OWASP_Certification_Requirements) to name a few.
  • PashPash Member Posts: 1,600 ■■■■■□□□□□
    Good question. I am a https://www.owasp.org/index.php/Security_Champions on our AppSec team. This OSCP recommendation I received was from our AppSec team leader. I did gulp a little when he said "I would take you very seriously if you had this cert and was a devops engineer" and I was thinking...."I don't know if my wallet can take that or my time". There is a AWS security related specialty exam in beta at the moment, which I will probably do. GCIH sounds good but I am unsure of how much it would cost. I am having a hard time deciding if I am honest. They all look equally interesting and valuable. I think the AppSec consideration is the most important as mentioned, everything is code in the world of 'serverless' cloud. I am seeing a ton of new contracts in the London job market for Devops Security leads etc. Sounds like a good time to get myself into the security world for good.
    DevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me.
  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Small certs give will give small results. Go big. OSCP

    GCIH is pretty simple imo and not cheap
  • SteveLavoieSteveLavoie Member Posts: 974 ■■■■■■■■□□
    You could go for more general security certs.. like CISSP and add some more specific like CCSP or CSSLP. It all depend on where you want to go in your career. If you want to more into Red teaming, look for OSCP.
Sign In or Register to comment.