SEC542 - Web App Penetration Testing and Ethical Hacking

Jasiono

Hey everyone

I recently passed the GCIH and I get to choose another cert to go for.

I want to go with SEC542 - Web App Penetration Testing and Ethical Hacking.

The only SANs cert I have is GCIH.

I have questions for people who have taken this course:

How is Moses Hernandez as an instructor?
Are there any prerequisites for this one? Something I should do to better arm myself for the course?
I know that GCIH and WAPT are two different exams, but as far as difficulty goes, are they on par with one another?

I only have a year of security experience with a background in software testing (about 7 years of that).

One of my main roles now is pentesting our webapps which is why I chose this cert, that, and the fact that my manager does not have it (he has GPEN, but that seems to be more network oriented)

iBrokeIT

I'll be taking it next month at Sec West with Moses. I transferred my GCIH into their Penetration Testing and Ethical Hacking Graduate Certificate program and using company tuition reimbursement at the rate of 1 class a year to pay for it.

IMO the course page and syllabus gives you a pretty good idea of the topics: https://www.sans.org/course/web-app-penetration-testing-ethical-hacking

Jasiono

I've been meaning to look into the graduate cert program!

TechGuru80

I took the course via OnDemand so it is recorded by course authors...I would highly recommend getting the access because no matter what you will only absorb so much in class. I can’t imagine any SANS instructor being bad at the conference level as they go through levels of vetting.

Honestly I didn’t have much exposure to WebApps prior to the course...had some exposure during PWK (OSCP course) and CEH, but I didn’t find the course crazy difficult to pickup the information.

If you want a head start, I would get a copy of the Web App Hackers Handbook v2 and start reading through.

Jasiono

Thanks for that!
I'll check that book out.
I'll def be getting the on demand portion as well. It really helped with GCIH.

636-555-3226

+1 for Web App Hackers Handbook v2. It's basically this course in book form, with lots of extras to boot. A great complement to each other.

I took 542 with Conrad, not Moses. Great course, lots of good stuff in there. Convinced me the only people who will ever be truly good and reliable at web app testing is people who 100% focus on web app testing. It gets real deep real fast. I think a few people complained to Conrad the first day about going too fast and assuming they knew things about web apps already. His response was essentially a nicer version of "this is a 500-level class and I don't have time to teach you what HTML stands for so transfer into a 400-level class if you don't know what cookies are."

Difficulty is on par with GCIH I'd say, just different subjects. Both 500-level. The more you know about web apps the better going into it, but not really necessary if you're familiar with the topics and/or pick stuff up quick. One of my fav SANS classes, but I seem to say that about most of them....

Randy_Randerson

This was a really hard course for me for some reason. Things like XSS and SQLi just don't come natural to me because that isn't my background. However, the bigger issues I had with this thing was just the cert in general. I had A LOT of questions that were not in my books -- no matter how deep I dug.

But the material is solid. Just a little too heavy on things I've seen on the outside you can find for free IMO.

Jasiono

Hm. Okay
I'm wondering if I should finish my degree or continue getting certs

Randy_Randerson

Jasiono wrote: »

Hm. Okay
I'm wondering if I should finish my degree or continue getting certs

Truthfully, it depends on your region and what you have already. If you already have a Masters degree, then don't even bother with another one -- unless you plan on getting into academia maybe. Certs are a different breed IMO and we, as IT professionals, are one of maybe 3 or 4 fields that rely very heavily on them. As I've mentioned in other threads, don't expect a cert to get you a raise -- expect it to put you above your competition though.

EDIT: Just noticed you are working on your bachelors. If you REALLY wanna do SEC542 and GWAPT, then I would say do it but then hold off on anything more until you get that done. Without a bachelors degree it is getting difficult to get a position in InfoSec at least. Go google SOC or Security Analyst and you'll see predominately all will have a mandatory Bachelors in it.

Jasiono

I just got my yearly goals from my manager and he wants me to go out and get the GWAPT. Then I will go back to finish my Bachelor's. I have (or had) 3 more classes to go, so I'm fairly close to getting it.

Randy_Randerson

Jasiono wrote: »

I just got my yearly goals from my manager and he wants me to go out and get the GWAPT. Then I will go back to finish my Bachelor's. I have (or had) 3 more classes to go, so I'm fairly close to getting it.

Perfect! Don't get it twisted either, it is a hard test but I did enjoy the class. You'll definitely come out with a knew set of knowledge you didn't have before that.