Interesting article - It’s Time to Move on from Offensive Security Certifications

I came across this today and since I don't know much about Offensive Security want to leave it here for others to chime in.

https://veteransec.com/2018/10/30/opinion-its-time-to-move-on-from-offensive-security-certifications/

Excerpt:
"Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more."

Comments

  • JoJoCal19JoJoCal19 Mod Posts: 2,835 Mod
    He's not wrong, but it's not quite as cut and dry as he makes it out to be in my opinion. For PWK/OSCP, the course may be outdated, but from all of the reviews I've read, the process and rigor is what forges capable pentesters. The threat and vulnerability landscape changes daily (heck hourly is more like it). No course can really stay 100% up to date. I agree with him on Hack the Box being better for learning up to date vulnerabilities and exploits. Again, the skills one gained from the OSCP would enable you to do well with HTB while also learning new stuff from HTB. I do think PWK students that go for manual exploitation in the labs rather than just using straight up metasploit for the whole process are better equipped to handle such a dynamically changing environment. I still agree with sentiment on the lack of updates to the courses. It is a stain (or should be) on OffSec's reputation.
    Have: CISSP, CISM, CISA, CRISC, eJPT, GCIA, GSEC, CCSP, CCSK, AWS CSAA, AWS CCP, OCI Foundations Associate, ITIL-F, MS Cyber Security - USF, BSBA - UF, MSISA - WGU
    Currently Working On: Python, OSCP Prep
    Next Up:​ OSCP
    Studying:​ Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
  • ottucsakottucsak Member Posts: 146 ■■■■□□□□□□
    Totally agree with JoJoCal19. I think the author misunderstood the point of these courses/certifications. Except for the OSWP, which actually sucks.
  • kurtkobaindtkurtkobaindt Member Posts: 15 ■□□□□□□□□□
    cyberguypr wrote: »
    I came across this today and since I don't know much about Offensive Security want to leave it here for others to chime in.

    https://veteransec.com/2018/10/30/opinion-its-time-to-move-on-from-offensive-security-certifications/

    Excerpt:
    "Having an OffSec certification meant you had a good baseline of hacking knowledge and were well-prepared to handle a real-world job. However, in my opinion (and having two OffSec certifications), the certifications just aren’t worth the money any more."

    he is an instructor of OSCP course on INE :D
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    These "lack of update" reviews come every month, insert "better course" <here> "I swear I have no affiliate with them."

    Nothing new.
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    he is an instructor of OSCP course on INE :D

    That doesn't make him an official Offensive Security instructor, and I am surprised INE is getting away with advertising "OSCP" training.
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • Danielm7Danielm7 Member Posts: 2,310 ■■■■■■■■□□
    My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.
  • m4v3r1ckm4v3r1ck Member Posts: 29 ■■□□□□□□□□
    I'm glad someone linked me here so I could actually defend myself.
    chrisone wrote: »
    These "lack of update" reviews come every month, insert "better course" <here> "I swear I have no affiliate with them."

    Nothing new.

    So, exactly what other training did I happen to mention here as better course? A quarterly in-person web app course I enjoyed? Not up my alley, but I dig the conspiracy theories.
    chrisone wrote: »
    That doesn't make him an official Offensive Security instructor, and I am surprised INE is getting away with advertising "OSCP" training.

    It's an OSCP prep course. Just like all other certifications have prep courses. It's legal under the FAIR Use Act. If anything, my course has driven quite a few people to actually pursue the certification.
  • m4v3r1ckm4v3r1ck Member Posts: 29 ■■□□□□□□□□
    Danielm7 wrote: »
    My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

    This. The rigor of the course and the ability to persevere may show something about your character, yes. The OSCP isn't a walk in the park, though it's not entirely difficult either. The issue is that it's not realistic and a lot of the methodology is significantly different in real-world penetration testing.

    People have been getting hung up on the OSCP aspect. The overall call is for better training. Teaching people to hack on XP boxes isn't ideal, but I get it. Teaching people how to hack WEP and calling it a certification? Outrageous. The same thing goes for the OSCE and their outdated 32-bit exploit development tactics.

    The training doesn't have to be perfect or up to date, but we can do better than XP, WEP, and 32-bit, no? Pentesting interviews are no joke and they focus heavily on AD environments. Speaking from experience, the training does not prepare one for really working in the field outside of simple methodology and persevering some rigor.
  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    I think most of us agree and understand your points, but your "call" to the community to move on from offsec and promote other training (which is totally fair) is why it seems like another "offensive security lack of updates" article.

    "[FONT=&amp]This is my call to the community. Let’s move on from OffSec and start talking about training that actually stays up to date and providers that actually care about preparing a student for their future."

    ^totally fair based on your opinion


    [/FONT]
    [FONT=&amp]"So, if there is fantastic training out there that you really enjoyed, please don’t hesitate to let me know!
    [/FONT]
    [FONT=&amp]I’ll start:[/FONT]
    [FONT=&amp]PWAPT:
    This past Spring, I was fortunate enough to take the Practical Web Application Penetration Testing (PWAPT)"
    [/FONT]
    [FONT=&amp]
    ^totally fair based on your opinion[/FONT]


    Readers seeing this have a fair opinion to disagree about your CALL to the community and your statement about offensive security not caring about its students. I pretty much agreed with your technical analysis of OSCP, but I can't really have an opinion about your opinion of CTP and OSCE since both you and I have never taken CTP OSCE?

    One last thing:
    Not to mention I have only heard great things about AWAE (OSWE cert)and AWE (OSEE). Would suck for others to be convinced by a CALL to not support offsec anymore.
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • scascscasc Member Posts: 465 ■■■■■■■□□□
    @Danielm7
    Brilliant point! Nothing else to add!
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • DatabaseHeadDatabaseHead Member Posts: 2,760 ■■■■■■■■■■
    Danielm7 wrote: »
    My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

    Eloquently put.
  • ottucsakottucsak Member Posts: 146 ■■■■□□□□□□
    Danielm7 wrote: »
    My issue with the OSCP is that people praise more the effort than what they learned most of the time. That then tends to have them crap on any other training that actually involves training people. Elearnsecurty.com material, SANS, etc, I've seen many people insist they are all garbage because they won't make you beat your head against the wall as badly as the OSCP, because there is apparently something wrong with people being actually taught sometime more effectively.

    I really like eLearnSecurity materials, but the exams are so easy that even a drunk donkey can pass them and SANS is just too rich for my blood. :)
  • MitMMitM Member Posts: 622 ■■■■□□□□□□
    I don't have much to say except for the cost, it should be updated more frequently
    he is an instructor of OSCP course on INE :D

    This would worry me, lately. A lot of their instructors are horrible, but he actually seems to know his stuff
  • m4v3r1ckm4v3r1ck Member Posts: 29 ■■□□□□□□□□
    MitM wrote: »
    I don't have much to say except for the cost, it should be updated more frequently



    This would worry me, lately. A lot of their instructors are horrible, but he actually seems to know his stuff



    Thank you :P I'm just really good at faking competency.
  • datakandatakan Member Posts: 17 ■■□□□□□□□□
    The OSCP process is about learning how to learn. You don't go into it expecting the latest and greatest. You go into it to learn how to figure this stuff out and self educate. It excels at this and has a great method of weeding out the people that need to be spoon fed everything.

    I'd take an OSCP over anyone else for the simple fact that I KNOW they can figure out what's being asked of them. It really pisses me off seeing posts like this because you never hear these people talk about the CISSP like this and that POS cert needs to die in a fire while being nuked from orbit.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    This runs along the same lines as an article I read from a UPenn student. This student said his Computer Science degree was useless because they taught him PHP. First, PHP is still alive and well. Second, the idea of Computer Science is to give you the base to pick up any language. I look at OSCP in the same light: it gives you a foundation and it's on you to keep yourself up to date.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • griffondggriffondg Member Posts: 39 ■■□□□□□□□□
    The OSCP doesn't claim to be a representation of a typical corporate network. It's an entry level penetration course that teaches the basics and for that it does a fantastic job. Its main strength is it forces you to teach yourself and persevere so I'm not so hung up on old technologies. It's like saying arithmetic isn't important because I've moved on to physics.

    As someone preparing for the OSCE it still seems very relevant from all I've read. Once again, it's the principals that are taught that's most important and things taught in the course give you a foundation for 64bit exploit development.

    Offensive Security also has advanced courses in Windows and Web App pentesting that should be online within the next year or two which will help fill in those subjects that are most real-world relevant.
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    Another article where the writer fails to see the OSCP for what it is, an ENTRY LEVEL pentesting certification. I'm also assuming that the writer did not finish all of the lab boxes because the lab environment does have an AD environment and newer operating systems. What do you people want? Windows 10 boxes? Because most of the techniques to break into a Windows 10 box are not considered entry level. Hence why they have more advanced courses.

    Also as stated by others, the real value of the course is it teaching you how to analyze and solve difficult problems. A skill that is the most important skill one can have when it comes to security. On my team if you have an issue, you are expected to figure it out on your own becuase the other team members have thier own tasks to worry about. This doesn't mean that we don't work together on most things, it just means that we actually take the time time to solve our own problems instead of rasing the alarm if the resolution isnt on the first page of a google search.

    However, everyone is entitled to thier own opinion. This is just one that I will never agree with.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • TeKniquesTeKniques Member Posts: 1,262 ■■■■□□□□□□
    m4v3r1ck wrote: »
    The same thing goes for the OSCE and their outdated 32-bit exploit development tactics.

    The exploit development tactics are not outdated, they are crucial for building a foundational understanding. For a lot of people, it's fairly difficult to step into 64-bit assembly without the prior background in the 32-bit registers. As someone who has taken and passed OSCE and has taken the AWE training; I can tell you that exploiting applications on Windows 10 with the newer mitigation controls in-place is not something you're going to teach as a beginning course.
  • themanwholaughsthemanwholaughs Member Posts: 27 ■■■□□□□□□□
     OSCP teaches you the fundamentals like most degrees when you do computer science. If you do security research while doing the course and apply it you will do well in the exam. You're not going to be a master hacker by doing it but you will know more than people who just do theory as OSCP is all practical. OSCP is actually a higher cert than the basic Security+ and CEH. 
  • BlucodexBlucodex Member Posts: 430 ■■■■□□□□□□
    Article is down.  I think the OSCP is more a training than a cert.  The amount of knowledge you can attain from the labs is monumental if you do not have a OffSec background.
  • nisti2nisti2 Member Posts: 503 ■■■■□□□□□□
    edited April 2019
    The article is down. :(
    2020 Year goals:
    Already passed: Oracle Cloud, AZ-900
    Taking AZ-104 in December.

    "Certs... is all about IT certs!"
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    nisti2 said:
    The article is down. :(
    You're not missing much. The author was just a person who failed to fully grasp exactly what the OSCP is all about.
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    McxRisley said:
    nisti2 said:
    The article is down. :(
    You're not missing much. The author was just a person who failed to fully grasp exactly what the OSCP is all about.
    IMO that's putting it nicely.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • McxRisleyMcxRisley Member Posts: 494 ■■■■■□□□□□
    LonerVamp said:
    McxRisley said:
    nisti2 said:
    The article is down. :(
    You're not missing much. The author was just a person who failed to fully grasp exactly what the OSCP is all about.
    IMO that's putting it nicely.
    Ya, was trying to keep it professional and not start another keyboard war lol
    I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect.
  • FluffyBunnyFluffyBunny Member Posts: 245 ■■■■■■□□□□
    Blucodex said:
    I think the OSCP is more a training than a cert. 
    If we're going to be technical about it, PWK (Pentesting With Kali Linux) is the course and OSCP is the certification exam. The latter being a 24hr slog, I would definitely say it's a cert exam :)
Sign In or Register to comment.