Interesting article - It’s Time to Move on from Offensive Security Certifications

I came across this today and since I don't know much about Offensive Security want to leave it here for others to chime in.

https://veteransec.com/2018/10/30/opinion-its-time-to-move-on-from-offensive-security-certifications/

Excerpt:
"Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more."

Find more posts tagged with

Comments

JoJoCal19

He's not wrong, but it's not quite as cut and dry as he makes it out to be in my opinion. For PWK/OSCP, the course may be outdated, but from all of the reviews I've read, the process and rigor is what forges capable pentesters. The threat and vulnerability landscape changes daily (heck hourly is more like it). No course can really stay 100% up to date. I agree with him on Hack the Box being better for learning up to date vulnerabilities and exploits. Again, the skills one gained from the OSCP would enable you to do well with HTB while also learning new stuff from HTB. I do think PWK students that go for manual exploitation in the labs rather than just using straight up metasploit for the whole process are better equipped to handle such a dynamically changing environment. I still agree with sentiment on the lack of updates to the courses. It is a stain (or should be) on OffSec's reputation.

ottucsak

Totally agree with JoJoCal19. I think the author misunderstood the point of these courses/certifications. Except for the OSWP, which actually sucks.

kurtkobaindt

cyberguypr wrote: »

I came across this today and since I don't know much about Offensive Security want to leave it here for others to chime in.

https://veteransec.com/2018/10/30/opinion-its-time-to-move-on-from-offensive-security-certifications/

Excerpt:
"Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more."

he is an instructor of OSCP course on INE

chrisone

These "lack of update" reviews come every month, insert "better course" <here> "I swear I have no affiliate with them."

Nothing new.

chrisone

kurtkobaindt wrote: »

he is an instructor of OSCP course on INE

That doesn't make him an official Offensive Security instructor, and I am surprised INE is getting away with advertising "OSCP" training.

Danielm7

My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

m4v3r1ck

I'm glad someone linked me here so I could actually defend myself.

chrisone wrote: »

These "lack of update" reviews come every month, insert "better course" <here> "I swear I have no affiliate with them."

Nothing new.

So, exactly what other training did I happen to mention here as better course? A quarterly in-person web app course I enjoyed? Not up my alley, but I dig the conspiracy theories.

chrisone wrote: »

That doesn't make him an official Offensive Security instructor, and I am surprised INE is getting away with advertising "OSCP" training.

It's an OSCP prep course. Just like all other certifications have prep courses. It's legal under the FAIR Use Act. If anything, my course has driven quite a few people to actually pursue the certification.

m4v3r1ck

Danielm7 wrote: »

My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

This. The rigor of the course and the ability to persevere may show something about your character, yes. The OSCP isn't a walk in the park, though it's not entirely difficult either. The issue is that it's not realistic and a lot of the methodology is significantly different in real-world penetration testing.

People have been getting hung up on the OSCP aspect. The overall call is for better training. Teaching people to hack on XP boxes isn't ideal, but I get it. Teaching people how to hack WEP and calling it a certification? Outrageous. The same thing goes for the OSCE and their outdated 32-bit exploit development tactics.

The training doesn't have to be perfect or up to date, but we can do better than XP, WEP, and 32-bit, no? Pentesting interviews are no joke and they focus heavily on AD environments. Speaking from experience, the training does not prepare one for really working in the field outside of simple methodology and persevering some rigor.

chrisone

I think most of us agree and understand your points, but your "call" to the community to move on from offsec and promote other training (which is totally fair) is why it seems like another "offensive security lack of updates" article.

"[FONT=&amp]This is my call to the community. Let’s move on from OffSec and start talking about training that actually stays up to date and providers that actually care about preparing a student for their future."

^totally fair based on your opinion

[/FONT][FONT=&amp]"So, if there is fantastic training out there that you really enjoyed, please don’t hesitate to let me know!
[/FONT][FONT=&amp]I’ll start:[/FONT]
[FONT=&amp]PWAPT:
This past Spring, I was fortunate enough to take the Practical Web Application Penetration Testing (PWAPT)"
[/FONT][FONT=&amp]
^totally fair based on your opinion[/FONT]

Readers seeing this have a fair opinion to disagree about your CALL to the community and your statement about offensive security not caring about its students. I pretty much agreed with your technical analysis of OSCP, but I can't really have an opinion about your opinion of CTP and OSCE since both you and I have never taken CTP OSCE?

One last thing:
Not to mention I have only heard great things about AWAE (OSWE cert)and AWE (OSEE). Would suck for others to be convinced by a CALL to not support offsec anymore.

scasc

@Danielm7
Brilliant point! Nothing else to add!

DatabaseHead

Danielm7 wrote: »

My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

Eloquently put.

ottucsak

Danielm7 wrote: »

My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

I really like eLearnSecurity materials, but the exams are so easy that even a drunk donkey can pass them and SANS is just too rich for my blood.

MitM

I don't have much to say except for the cost, it should be updated more frequently

kurtkobaindt wrote: »

he is an instructor of OSCP course on INE

This would worry me, lately. A lot of their instructors are horrible, but he actually seems to know his stuff

m4v3r1ck

MitM wrote: »

I don't have much to say except for the cost, it should be updated more frequently

This would worry me, lately. A lot of their instructors are horrible, but he actually seems to know his stuff

Thank you :P I'm just really good at faking competency.

datakan

The OSCP process is about learning how to learn. You don't go into it expecting the latest and greatest. You go into it to learn how to figure this stuff out and self educate. It excels at this and has a great method of weeding out the people that need to be spoon fed everything.

I'd take an OSCP over anyone else for the simple fact that I KNOW they can figure out what's being asked of them. It really pisses me off seeing posts like this because you never hear these people talk about the CISSP like this and that POS cert needs to die in a fire while being nuked from orbit.

the_Grinch

This runs along the same lines as an article I read from a UPenn student. This student said his Computer Science degree was useless because they taught him PHP. First, PHP is still alive and well. Second, the idea of Computer Science is to give you the base to pick up any language. I look at OSCP in the same light: it gives you a foundation and it's on you to keep yourself up to date.

griffondg

The OSCP doesn't claim to be a representation of a typical corporate network. It's an entry level penetration course that teaches the basics and for that it does a fantastic job. Its main strength is it forces you to teach yourself and persevere so I'm not so hung up on old technologies. It's like saying arithmetic isn't important because I've moved on to physics.

As someone preparing for the OSCE it still seems very relevant from all I've read. Once again, it's the principals that are taught that's most important and things taught in the course give you a foundation for 64bit exploit development.

Offensive Security also has advanced courses in Windows and Web App pentesting that should be online within the next year or two which will help fill in those subjects that are most real-world relevant.

McxRisley

Another article where the writer fails to see the OSCP for what it is, an ENTRY LEVEL pentesting certification. I'm also assuming that the writer did not finish all of the lab boxes because the lab environment does have an AD environment and newer operating systems. What do you people want? Windows 10 boxes? Because most of the techniques to break into a Windows 10 box are not considered entry level. Hence why they have more advanced courses.

Also as stated by others, the real value of the course is it teaching you how to analyze and solve difficult problems. A skill that is the most important skill one can have when it comes to security. On my team if you have an issue, you are expected to figure it out on your own becuase the other team members have thier own tasks to worry about. This doesn't mean that we don't work together on most things, it just means that we actually take the time time to solve our own problems instead of rasing the alarm if the resolution isnt on the first page of a google search.

However, everyone is entitled to thier own opinion. This is just one that I will never agree with.

TeKniques

m4v3r1ck wrote: »

The same thing goes for the OSCE and their outdated 32-bit exploit development tactics.

The exploit development tactics are not outdated, they are crucial for building a foundational understanding. For a lot of people, it's fairly difficult to step into 64-bit assembly without the prior background in the 32-bit registers. As someone who has taken and passed OSCE and has taken the AWE training; I can tell you that exploiting applications on Windows 10 with the newer mitigation controls in-place is not something you're going to teach as a beginning course.

privatezero

I know this is an older post, but wanted to chime in on this.

I think the author is approaching the concept of the OSCP wrong. With the way that the threat landscape changes, and limitations of any testing format, no certification is going to give you real world experience.

The OSCP experience isn't about giving you the skills to be an uber hacker. To put it in words us Army guys can understand, it's more like Selection for the Green Berets or Seal BUDS. Neither of these course give you the training to become an Uber Soldier, that comes later.

These courses are about weeding out the Soldiers who do not have the mental fortitude to keep going in the face of overwhelming adversity. I've been around enough Green Berets to know that if you ask most of them how they got through Selection, they will tell you its simple. "Don't F*ing quit"

The OSCP certifies that you can handle the mental rigors needed to research, problem solve and that when push comes to shove, you don't F'ing quit. As a hiring manager, I'd much rather see those skills than some guy who knows all the latest exploits and how to use them because he's an uber elite hacker. Hack the box, while fun, and can be educational, has much more of a group based experience to it. Read enough of the forums, you'll pick up the hints to a HTB box and eventually get root through the Cut & Paste Exploit Method. Not so with the OSCP, which is part of the frustrating part.

If that applicant runs into something he doesn't know, is he going to be able to perserve? To adapt and overcome? That's the difference between a Professional and a hacker. I don't care how many boxes you rooted. I care how you found 10,000 ways not to root a box and still kept going.

themanwholaughs

OSCP teaches you the fundamentals like most degrees when you do computer science. If you do security research while doing the course and apply it you will do well in the exam. You're not going to be a master hacker by doing it but you will know more than people who just do theory as OSCP is all practical. OSCP is actually a higher cert than the basic Security+ and CEH.

Blucodex

Article is down. I think the OSCP is more a training than a cert. The amount of knowledge you can attain from the labs is monumental if you do not have a OffSec background.

nisti2

The article is down.

McxRisley

nisti2 said:

The article is down.

You're not missing much. The author was just a person who failed to fully grasp exactly what the OSCP is all about.

LonerVamp

McxRisley said:

nisti2 said:

The article is down.

You're not missing much. The author was just a person who failed to fully grasp exactly what the OSCP is all about.

IMO that's putting it nicely.

McxRisley

LonerVamp said:

McxRisley said:

nisti2 said:

The article is down.

You're not missing much. The author was just a person who failed to fully grasp exactly what the OSCP is all about.

IMO that's putting it nicely.

Ya, was trying to keep it professional and not start another keyboard war lol

FluffyBunny

Blucodex said:

I think the OSCP is more a training than a cert.

If we're going to be technical about it, PWK (Pentesting With Kali Linux) is the course and OSCP is the certification exam. The latter being a 24hr slog, I would definitely say it's a cert exam