Interesting article - It’s Time to Move on from Offensive Security Certifications
cyberguypr
Mod Posts: 6,927 Mod
I came across this today and since I don't know much about Offensive Security want to leave it here for others to chime in.
https://veteransec.com/2018/10/30/opinion-its-time-to-move-on-from-offensive-security-certifications/
Excerpt:
"Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more."
https://veteransec.com/2018/10/30/opinion-its-time-to-move-on-from-offensive-security-certifications/
Excerpt:
"Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more."
Comments
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
he is an instructor of OSCP course on INE
Nothing new.
2023 Cert Goals: SC-100, eCPTX
That doesn't make him an official Offensive Security instructor, and I am surprised INE is getting away with advertising "OSCP" training.
2023 Cert Goals: SC-100, eCPTX
So, exactly what other training did I happen to mention here as better course? A quarterly in-person web app course I enjoyed? Not up my alley, but I dig the conspiracy theories.
It's an OSCP prep course. Just like all other certifications have prep courses. It's legal under the FAIR Use Act. If anything, my course has driven quite a few people to actually pursue the certification.
This. The rigor of the course and the ability to persevere may show something about your character, yes. The OSCP isn't a walk in the park, though it's not entirely difficult either. The issue is that it's not realistic and a lot of the methodology is significantly different in real-world penetration testing.
People have been getting hung up on the OSCP aspect. The overall call is for better training. Teaching people to hack on XP boxes isn't ideal, but I get it. Teaching people how to hack WEP and calling it a certification? Outrageous. The same thing goes for the OSCE and their outdated 32-bit exploit development tactics.
The training doesn't have to be perfect or up to date, but we can do better than XP, WEP, and 32-bit, no? Pentesting interviews are no joke and they focus heavily on AD environments. Speaking from experience, the training does not prepare one for really working in the field outside of simple methodology and persevering some rigor.
"[FONT=&]This is my call to the community. Let’s move on from OffSec and start talking about training that actually stays up to date and providers that actually care about preparing a student for their future."
^totally fair based on your opinion
[/FONT][FONT=&]"So, if there is fantastic training out there that you really enjoyed, please don’t hesitate to let me know!
[/FONT][FONT=&]I’ll start:[/FONT]
[FONT=&]PWAPT:
This past Spring, I was fortunate enough to take the Practical Web Application Penetration Testing (PWAPT)"
[/FONT][FONT=&]
^totally fair based on your opinion[/FONT]
Readers seeing this have a fair opinion to disagree about your CALL to the community and your statement about offensive security not caring about its students. I pretty much agreed with your technical analysis of OSCP, but I can't really have an opinion about your opinion of CTP and OSCE since both you and I have never taken CTP OSCE?
One last thing:
Not to mention I have only heard great things about AWAE (OSWE cert)and AWE (OSEE). Would suck for others to be convinced by a CALL to not support offsec anymore.
2023 Cert Goals: SC-100, eCPTX
Brilliant point! Nothing else to add!
Eloquently put.
I really like eLearnSecurity materials, but the exams are so easy that even a drunk donkey can pass them and SANS is just too rich for my blood.
This would worry me, lately. A lot of their instructors are horrible, but he actually seems to know his stuff
Thank you :P I'm just really good at faking competency.
I'd take an OSCP over anyone else for the simple fact that I KNOW they can figure out what's being asked of them. It really pisses me off seeing posts like this because you never hear these people talk about the CISSP like this and that POS cert needs to die in a fire while being nuked from orbit.
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
As someone preparing for the OSCE it still seems very relevant from all I've read. Once again, it's the principals that are taught that's most important and things taught in the course give you a foundation for 64bit exploit development.
Offensive Security also has advanced courses in Windows and Web App pentesting that should be online within the next year or two which will help fill in those subjects that are most real-world relevant.
Also as stated by others, the real value of the course is it teaching you how to analyze and solve difficult problems. A skill that is the most important skill one can have when it comes to security. On my team if you have an issue, you are expected to figure it out on your own becuase the other team members have thier own tasks to worry about. This doesn't mean that we don't work together on most things, it just means that we actually take the time time to solve our own problems instead of rasing the alarm if the resolution isnt on the first page of a google search.
However, everyone is entitled to thier own opinion. This is just one that I will never agree with.
The exploit development tactics are not outdated, they are crucial for building a foundational understanding. For a lot of people, it's fairly difficult to step into 64-bit assembly without the prior background in the 32-bit registers. As someone who has taken and passed OSCE and has taken the AWE training; I can tell you that exploiting applications on Windows 10 with the newer mitigation controls in-place is not something you're going to teach as a beginning course.
These courses are about weeding out the Soldiers who do not have the mental fortitude to keep going in the face of overwhelming adversity. I've been around enough Green Berets to know that if you ask most of them how they got through Selection, they will tell you its simple. "Don't F*ing quit"
Already passed: Oracle Cloud, AZ-900
Taking AZ-104 in December.
"Certs... is all about IT certs!"
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?