CompTIA/CASP

never2late

grauwulf wrote: »

I went into the exam totally cold and got quite a doozy, especially in comparison to other CompTIA offerings. Overall I was very impressed with this exam.

Thoughts:
Based on my set of questions; I think that this exam is a pretty good gauge of your abilities to function as a well rounded security professional. Without breaking the NDA I will say that some of the questions I got were very technical, some where very focused on management, and a portion was related to network design (which I was very happy to see). There was at least 1 question that I'm certain nobody who hasn't actually 'done it' in the real world will be able to get. I was also happy that while the exam maintained vendor neutrality overall, I did receive questions that had some very useful vendor focused material.

Some of the questions lacked a bit to be desired in the wording category, but that's just about any certification exam. Overall I think this is a pretty good evaluation exam for a 'general security person'. Maybe a system architect, or sys admin. I would be quite impressed if a run of the mill CTO could pass this test without a boot camp or brain ****.

Going in with no study at all I left with a 60/40 feeling as to if I passed. That is to say, not knowing what the pass margin is (some tests are 50%, some are 90%) I felt like I did decently.

Finally I would like to say that all any certification actually validates is that you can pass a test. Maybe even by simple luck. Certs don't make you good, but if you are good certs can help to prove it, and they can also be a good career investment.

Who am I?
I'm brand new to the board so it's fair to ask 'OK, so who the hell are you to give us your opinion?' I have been a software engineer, architect, and/or team lead for a little over 13 years. I have 2 degrees and 2 academic certificates in comp sci & information security. I currently hold about a dozen active certifications including: C|EH, C|HFI, Security+, Linux+, Project+, iNet+, SCJP, SCWCD, [and the list goes on, 'all' of these areas were useful to in my CASP test]. I am not an expert by any stretch of the imagination. I've been around the block a few times and I've taken these types of tests before. So there, that's me.

I'm enjoying your board, keep up the good work.

I agree with grauwulf assumptions. The test, which I took today, was more in-depth than any other CompTIA test but more geared towards the management side. A lot of policy and procedures, the "best" answer out of the choices, and, to my surprise, even networking scenarios and simulations. Unlike grauwulf, I left feeling as though I may have got 50% of the questions correct with a healthy dose of educated guesses. This was more than I expected but also what I hoped. A lot of these cert tests are predictable but this one made me think. Like others, I went in cold without trying to anticipate the criteria.

colemic

Surprised you had sims... wouldn't have expected that. And you think it was more management-geared, but was expected to be more technical in nature.

grauwulf

colemic wrote: »

Surprised you had sims... wouldn't have expected that. And you think it was more management-geared, but was expected to be more technical in nature.

Even better: The simulation environments are very rich. It's not a 100% mirror of a real system but it's close enough to let you actually work. Much better than the simulators I've seen in some other technical exams. Miles better than the CHFI sims (some of which I couldn't even make out -EDIT- I don't know how much of that was the testing center's $5 monitor and how much was EC. not an admonishment of the exam, just an observation). The only real problem I had with the simulations was that they were very much 'open ended', and the questions/tasks were as well.

For example, I had one question to the effect of "select the best tool to loosen this nut" and in the simulated tool box there are: pliers, screwdrivers, wrenches (metric and sae), adjustable wrenches, a blow torch, and a chisel.

Depending on the nut in question you might want a wrench, or you may need a blow torch. It can be very confusing. The best advice I can offer on those types of questions is to 'not' add any information. In the absence of data we have a tendency to fill in the gaps with what seems to make the best sense to us. If you try to guess what the questions are really getting at you will end up chasing your own tail. I ended up doing this a bit on some questions that asked you to design a XYZ. There are just so many different ways to set things up that it's very easy to get caught up in the 'well it depends' game.

The more I think about it the more interested to see my exam report. October/November is just so far away

mog27

Do you all think it would it be a waist of time to get this cert after getting the CISSP? (Kind of like getting the Net+ after CCNA)

demonfurbie

mog27 wrote: »

Do you all think it would it be a waist of time to get this cert after getting the CISSP? (Kind of like getting the Net+ after CCNA)

it depends isc2 may take it for the credits needed to keep the cissp

Avo

I also took the Beta CASP test and I got the results last Friday that I passed. I am studying for the CISSP, which probably helped a lot. Was it tougher than S+? Yes, much. Will it be tougher than the CISSP? Dunno yet, but probably not.

xirtlook

I havent taken, it but if it builds momentum, I might take this instead of C|EH.

however I would rather save my money/time for CISSP and OCSP (backtrack)

spiderjericho

So I took the exam today. I managed to pass (not sure how or what score). I got 15 questions out of 73 wrong.

I think I could've done a lot better if I had some sort of study material like a book or videos. There were concepts like securing a web server, database server, the CASP methodoly for defense in depth and network defense placement and a few other things I wasn't really solid on.

I had four simulations. My recommendation learn windows command line, know how to compile/write ACLs, be familiar with well-known ports, including microsoft (RDP, LDAP, CIFS, etc).

I'd say it's a hybrid exam of CISSP/SCCP management decisions (like security policies, risk management, Disaster Recovery, Enviornmental controls etc), CEH server vulnerabilities (Web, database, MiTM, etc) and Security+ concepts.

I wouldn't say it's a hard test. It's like any Comptia exam, where you can use the process of elimination. The main issue is not having study materials.

The only thing I used to study for the test was the Preplogic Security+, SCCP and CISSP quick study guides, Darril's practice test and the actual Exam objectives (and used Google to look up the topics).

I really don't think it's a CISSP "hard" exam. You're not using a scantron, pencil, 250 questions, 6 hours and getting mind ducked.

The two positives are you immediately know if you pass or fail and the inclusion of simulations/drag and drops. It's almost Cisco like.

And I can see the DoD adopting it for the 8570 requirements. But I guess we'll have to wait and see.

Darril

Congratulations, and thanks for the comprehensive post on your experience.

Darril Gibson
Security+ blog

spiderjericho

Darril, were you able to use the exam as credit toward your CISSP?

I think that was one of the main reasons why I took it since it could apply to compTIA continuing education and possibly CISSP.

Darril

I didn't try to use this as a CISSP continuing education credit, and I don't know if it can be.

Can you use it as a one-year waiver for CISSP (reducing the five-year experience requirement to four years)? This page (https://www.isc2.org/credential_waiver/default.aspx) only lists Security+ and not CASP, but I wouldn't surprised at all if CASP is added in the next year or so.

HTH,

Darril Gibson
Security+ blog

spiderjericho

If they allow CEHv7, Sec+ 301, etc as education credits, why couldn't they allow an intermediate security examination as credit? IMO, it should be worth at least 60 hours.

xirtlook

Congratulations on passing. I think I might change my gears after I get my CCNP. Think I'm going to just suck it up and sit in for the CEH and CASP.

It would be ashame to let what I learned in the last 2-3 years goto waste. If anything it'll be a great stepping stone, and prep for CISSP.

I really liked your explanation, "hybrid of CISSP/SCCP".

sounds much better than CISSP lol.

I'll sit in for this sometime next summer.

spiderjericho

The best advice I can give is take the CEH before the CASP. The database, web server, attack types, etc are present on the CASP and since there's no book to prepare you for the exam.

Honestly, CASP is a lot easier than CISSP. It's a third of the time, half the questions and a whole lot less management questions.

If you've passed CCNA, CEH and Sec+, you can pass CASP (as long as you look over the exam objectives and practice file management and troubleshooting in the command line, understand the placement of network infrastructure equipment, etc).

jayc71

I hear the CASP is a more technology focused exam than the CISSP, what advice would you all give to someone who passed the CISSP & Sec+ when it comes to sitting the CASP? Should I focus on the CEH materials?

spiderjericho

You can literally walk in and take the test. The only advice is to look at the objectives and research the subject if you don't know it. But if you were motivated, I'd say do CEH then CASP. A lot of CEH topics blur into CASP (and just maybe brush up on some of the domains from CISSP). The experience is definitely going to be less intense than the CISSP (a six-hour bubble test, about a four-week wait for the results and then creating a resume and getting endorsed compared to a 73-question test, computer-based exam, immediate results of pass or failure).

jayc71

spiderjericho wrote: »

You can literally walk in and take the test. The only advice is to look at the objectives and research the subject if you don't know it. But if you were motivated, I'd say do CEH then CASP. A lot of CEH topics blur into CASP (and just maybe brush up on some of the domains from CISSP). The experience is definitely going to be less intense than the CISSP (a six-hour bubble test, about a four-week wait for the results and then creating a resume and getting endorsed compared to a 73-question test, computer-based exam, immediate results of pass or failure).

Well that's refreshing. I looked over the objectives and felt like I would have a good chance at passing with a bit of brushing up on the subjects I don't deal with regularly. I've been waiting to hear what others who have taken the exam have to say. The C|EH is on my list as well and I feel comfortable with the material mostly, but I do need some lab time before I'd feel comfortable sitting the exam. When the CASP was announced it sounded like it might be interesting and my inner geek has been wanting to try it out just cause it's there.

spiderjericho

If I had the choice between the CASP and one of your VCPs or MCTS, I'd take one of those any day. Like it's been stated, it's more a resume padder versus highly sought after exam.

I think they should implement maybe five simulations/scenarios in the exam, increase it to 100 questions (no reason why the Net+, Sec+, etc have more questions), figure out the 8570.10 specifics and market it to all hell.

Right now, it's less regarded than the CEH (or maybe on the same level), GIAC, CISSP, etc.

jayc71

spiderjericho wrote: »

Right now, it's less regarded than the CEH (or maybe on the same level), GIAC, CISSP, etc.

That's pretty much the kicker right there, the exam is new and not highly sought after the moment...and it costs over $300. (discount, I know...but still it's pricey) I have passed the CISSP, so until (if?) the CASP gains some respect in the industry, and really among the HR types that screen resumes, it's hard to justify the price of the exam. IMO, if CompTIA wants to get some mass market appeal and respect to these kinds of 'higher level' exams, they need to drop the price and spend a lot on advertising to make the cert more desirable.

joshmadakor

Lol holy exam objectives

I think it's worth taking...being offered by CompTIA and all.

I'm glad to see them making a higher-lever cert

spiderjericho

Dunno. A CISSP costs $600. Is a six-hour written exam with 250 questions. Personally, except for the 8570 push for it, I think it's a worthless exam, but it still has a perception of value and reverance in the IT community.

I'm not sure what CompTIA can do to raise awareness and change the attitude about CASP. But at the moment, it's a brand new exam with little difficulty. Besides the 8570 requirement, I just don't see the value. Lowering the price to an easy exam will only increase the number of certified people, not increase the reputation (and the possibility of there soon being exam "prep").

Avo

Avo wrote: »

I also took the Beta CASP test and I got the results last Friday that I passed. I am studying for the CISSP, which probably helped a lot. Was it tougher than S+? Yes, much. Will it be tougher than the CISSP? Dunno yet, but probably not.

I finally got my CISSP results back (after 5 1/2 weeks) and I passed. The CISSP was only more difficult due to the length and style of the test. The CASP was more technology based, and was a more interesting test to take. If you have the S+ and are studying for the CISSP you will be able to pass the CASP. Sybex is coming out with a CASP book by March, but the Shon Harris CISSP book would do just as well.

Darril

Congratulations on the CISSP pass. It's no small feat.

Darril Gibson
Security+ Blog
Security+ Tip of the Day

lanrexng2

Darril wrote: »

Congratulations on the CISSP pass. It's no small feat.

Darril Gibson
Security+ Blog
Security+ Tip of the Day

Darril I am about to get your SSCP book! Ofcourse your sec+ book saved all our lives lol

Darril

lanrexng2 wrote: »

Darril I am about to get your SSCP book! Ofcourse your sec+ book saved all our lives lol

Thanks. Hope it helps you get your SSCP. Good luck.