Real World Security Professional (RWSP) certification

JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+Surf City, USAAdmin Posts: 12,097 Admin
I ran across these links to a "Real World Security Professional" certification. Anyone have any experience with the RWSP cert? Looks like a pen testing and CTF training cert.

Black Hat ® Technical Security Conference: Abu Dhabi 2010 // Real World Security: Attack, Defend, Repel by Peak Security


  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    Looks sweet. I think this would be something that I would like to do.
  • rogue2shadowrogue2shadow CISSP, GXPN, OSCE, OSCP, OSWP, eMAPT, CEH, CNDA, A+, Network+, Security+ Member Posts: 1,501 ■■■■■■■■□□
    This looks hot. I think 10 years from now I'd be down hahah.

  • sexion8sexion8 Member Posts: 242
    I wrote the article to explain my experience with the entire class, the structure and why I believe it to be one of the best security certifications around. Personally, it was my favorite and most challenging certification to date. When I first saw the class, I was skeptical about the entire class because of the name - as I found it to sound a bit "arrogant" so I emailed those responsible for the cert. I will copy and paste (doing so WITH PERMISSION of the sender and myself:

    Begin email conversation

    Hi Jesus,

    Yes, the RWSP is real. And no, we don't intend to be a flap in the face of traditional certifications. The reason you can' find much information on the certification is that it's still in the beginning stages. Let me explain our goals, and where we are to date.

    The RWSP is based on an individual's ability to handle and react to real world security situations. We approach the security topic from both offensive and defensive perspectives, and no single student is required to be an expert in both sides. Over the years, we've grown frustrated with the growing number of "content based" certifications, where you read a book or take a course, then take the exam. We felt that the pool of certified professionals was being diluted by individuals that really don't have the experience and knowledge to do the work. What we wanted to do with the RWSP is bring back some semblance of the peer review process (think of it like a blacksmith guild mentality). If a certification is peer reviewed, the quality of the members is better maintained, thus the certification also maintains it's value to the industry.

    We've created a two day, hands on training course where students are split up into two teams. Each team sits on offense one day, and defense the other day. The simulations are real, but based on a fictional story line that we've created to keep the story flowing. The RWSP takes this practical demonstration of skills, and allows the students of the course to review the participation, value, leadership, and contributions made to each exercise, by each of the other students. All input is anonymous.

    Once the course is completed, a test is given to the students. The students must past the test to continue on to the RWSP. When it's determined a student has passed the practical and the test, they're given 60 days to complete a written practical, on a security topic of their choosing. These practicals are reviewed not only by the instructors, but also by volunteers that have already obtained their RWSP. This ensures proper peer review in the entire process, and maintains the value of the certification.

    The entire certification process is free, once the course is taken. There are no annual fees, or CPEs to complete. Once you've been through the course, passed the test and been vetted by your peers, you've completed the process.

    We have a domain RWSP.ORG where we'll be posting more information about the certification in the near future. Our course at Black Hat sold out 6 weeks in advance, and we got some excellent feedback from the students in the course about both the content of the course, and the certification itself. We've been invited to teach the course in Australia, Japan, and in Abu Dhabi (Black Hat). The reviews were excellent from the first course, so I'm excited to be involved.

    I'd be happy to talk to you on the phone about this, if you're interested. If not, I understand. I'm not a sales guy, so you don't have to worry about me getting up in your face. icon_smile.gif Let me know if you have any further questions.

    -Russ Rogers

    On Sep 9, 2010, at 9:22 AM, J. Oquendo wrote:

    > Good morning. While looking over at the ISRM certification, I stumbled
    > upon information for your course. (RWSP) Do you have any printable PDF's
    > that explain the course and benefits so that I may bring it to the
    > attention of management in hopes of attending?
    > Also, little is said about the RWSP so my initial reaction is, that it
    > is a slap in the face/poke at security certs. This in the sense that
    > "hey this is a real world class, forget the paper (cert)." Am I mistaken
    > if so, can you elaborate on this certification as little is visible on it.
    > --

    / End that thread

    / Begin another explanation via email

    The RWSP is less lecture and more "battlefield" experience. At least, that was the original intent of the course. We saw so many courses that were just fluff. You go in, take a week or two week course, and then take a test. So, from our perspective, we saw a lot of people getting classroom instruction, but no one was being put to the test. A good comparison would be to send a soldier to basic training, then assume he/she is ready for a war, even though they've never had their skills tested; or been forced to make decisions while under pressure.

    With the RWSP, we try to put the students under the stress of "omg, it's happening right now!". They're going to find out exactly what "working as a team" means. Rock stars don't succeed. There are no "Rambos" in the security world. They're going to find out how to think creatively to defend against attacks. If you're being hit hard, right now, what will you do? We had one team DoS their own router long enough that they could exploit one of their own servers (they had lost the Administrative password), so they could change the Admin password and patch the server. They lost points for not keeping their service available to customers, but kept the bad guys at bay (by a matter of minutes).

    Each team gets to play on Defense one day, and on Offense the other day. And you don't have to be an expert at everything to succeed. You just need to know your role, and be successful in that role. We've included bits and pieces of most security realms, including penetration testing, firewalls, intrusion detection, exploit development, reverse engineering, project management, patching, monitoring, incident response, etc.

    One of the REAL keys is the peer review. There are three parts to the certification: the practical (classroom exercises), the exam (at the end of the class), and the research paper (completed after the course). The practical portion is peer reviewed by the other students in the course at the time. They'll gauge your ability to work in a team. Do you know your job? They decide how well you participated to try to achieve the team's goals. Rock stars don't do well, because they tend to dismiss the organization's security plans, and do their own thing.

    The test covers basic knowledge that any security professional should know.

    The research paper is the other peer reviewed portion of the RWSP. The candidate picks a topic that they feel is compelling, and submits that for approval to Peak Security. Once the topic is approved, the candidate has 90 days to write the paper, and submit it for peer review. We've created a standardized rubric, whereby other RWSP certified individuals can review each candidate's submission. Participation as a reviewer is completely voluntary, but we try to keep everyone in the process involved, because they help keep the pool of talent in the certification legitimate. Additionally, Peak Security isn't looking to create a "pipeline of revenue" from this certification. The student pays for the course, and that's it. The rest of the process is included.

    The entire course structure is based on two fictional organizations, each with it's own boss, each with it's own culture, each with it's own corporate colors and logo. We've built an entire back story around the course, to make it more enjoyable. We've found that the students that do best are the ones that take it seriously. As another example, we actually had a student in our course in Abu Dhabi get up from his own team's table and move to the other team, "to do some social engineering". The other team allowed him to sit there for most of the first day before realizing that he was taking all of their information, planning, and idea and telling his own team about it.

    / End that last email

    With this said, I finished up my paper which is currently under review. I personally found this test to be more challenging than my OSCP, CEH and CPT classes. You have to understand, in those exams, the exploits and targets are static. In this class, you have to improvise on both sides a) to defend yourself and b) to compromise your target. It is very different when you're working along with and against your peers many of which will have more experience than you. It is not a piece of cake certification.

    If you need to know more about the staff associated with the certification, who they are, etc., please visit Training: Real World Security

    AUTHORS BIAS: I enjoyed the certification and believe it delivers real value. I have no ties to Peak Security other than being a RWSP candidate. I hold 6-7 security related certs (CEH, CPT, OSCP, CHFI, etc.) and this to me was the one that I found most challenging.
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
Sign In or Register to comment.