Need Advice GWAPT vs GWEB

amarsuhas

Hey Folks, I am planning to go for GWAPT certification. I do conduct app pen tests at the same time I also advise app owners on mitigation. My questions is what mitigation controls or app defensive technologies they cover in GWAPT or its only about pen testings apps? GIAC also has GWEB which specifically covers app security from dev. standpoint. Any inputs will be valuable.

paul78

I can't comment on GWEB but I did take the GWAPT a while back. Perhaps it has improved but I was very unimpressed by the GWAPT content. I thought that it was extremely rudimentary and covered only the basics. I would only recommend GWAPT for someone that didn't have an webapp experience and was looking for an intro to the topics. It's probably not very useful for someone that already does pentesting.

xXxKrisxXx

Hey amarsuhas. l took DEV522 at SANS2015 and l found it to be a great course. l have a development background and have done some web app pen testing before. You were given a Linux VM back then and the lab exercises in the course were more centered around PHP. All of the attack vectors are obviously present in all web applications and the defenses against them vary by platform. The course content is pretty universal on the defense side from what l remember. They don't only get into how you'd mitigate it on the Apache/PHP Side, but they'd also show how to defend against it on IIS if relevant too.

I made friends with the gentleman who sat next to me who was an active SEC542 Mentor in Raleigh, NC back then (GWAPT Certified). He told me he does web app pen testing and was taking it to just fill in his knowledge on the defense side. Since you're already on the attack side of the house, l can honestly just see it complimenting your skillset. GWAPT is primarily based around on attacking Web Apps while GWEB is centered around defense. Even if you're given PHP Examples in DEV522, they fixes and/or defenses taught translate over to other platforms.