GWAPT passed
It's been about four months since I signed up for SANS SEC-542, Web App Penetration Testing and Ethical Hacking. My primary motivation for this particular course was due to my long-standing knowledge gap in the web applications area. If I'm to be configuring WAFs, load balancers, and IPS sensors, it would be highly beneficial to understand how applicable these tools are in defending against common web attacks such as XSS, CSRF, various injection techniques, etc..
To start off, I have no development background. I don't write JavaScript, Python, or PHP for a living in any capacity. I knew this would be a hindrance going in, but I have to face the music at some point in my career. I also don't have a web-layer mindset as I'm still very much more used to the packet-level, thinking in terms of addresses, ports, layer 4 headers, etc.. I figured this course would be a good stretch for me. The only thing in my background that would be of any help is some understanding of HTML from building my small websites over a decade ago.
542 follows a pentesting methodology: recon, mapping, discovery, and exploitation. There are lots of tools and lab exercises throughout the class. The instructor (Kevin Johnson) used SamuraiWTF as the basis for the lab work. He's one who created SamuraiWTF after all, so who better to present the material. The OnDemand course I took had lots of his stories, opinions, anecdotes, as well as the usual drinking-from-a-firehose flood of information one would expect from any SANS course. There's a lot to absorb and if you come from a network infrastructure role like I do, it can get pretty overwhelming.
I typically go through a SANS course within a few weeks and follow-up on the GIAC exam a month later. In my current job, I have much less time to devote to continuing education so it took me practically the entire four months of my available OnDemand time to get through it, plus prepare for the exam. And for someone like me who isn't used to thinking in terms of HTTP, AJAX, database queries, and web services, it was painful. I must have listened to the MP3 sets at least four times through during my commutes and it still wasn't sinking in as much as I wanted it to.
The course touches upon scripting languages such as JavaScript, Python, and PHP so one can recognize the basic structure when looking at page sources or examining content through an interception proxy. While I believe this is a crucial / mandatory skill for a web app pentester, 542 doesn't really expect you to become a developer or even a competent scripter from this class alone. It's not intended to make you a coder.
The class did open my eyes to and clarify many aspects of web applications which were either previously vague for me or unknown, such as SOAP, JSON, AJAX, Flash / ActionScript, same origin policy, etc.. My understanding on these areas are more refined now and if I'm at another con where people are talking about them, I'll at least have some idea of the conversation context.
But this course will not turn anyone into a pentester overnight. If you're completely new to web security, you're not going to come out of the class ready to perform professional vulnerability assessments for clients. I just passed the GWAPT exam and even I wouldn't hire myself for such a job. However, I think the material in 542 is pretty solid and covers a wide range of topics which are important for knowing how to approach such work.
The exam itself was the newer 2-hour, 75-question format. Unlike previous GIAC exams that I've taken, many of the questions in the new format will require some thought and analysis to answer correctly. There are a few which you could reference in the course materials, but a lot of them require the examinee to put together adjacent learned-subjects to formulate the right path. This is a welcome change.
Another change in the new format is that the counter representing questions answered correctly / incorrectly are only updated every fifteen questions, unlike previously where it updated after every question, forcing someone like me to keep a hawk-eye to check my progress after every answer submission to gauge my exam survival rate.
I finished the GWAPT exam in a little over an hour and I barely squeaked by the ninety-percent mark with a total of 90.67%. Before taking the exam, I had a strong feeling that I could easily fail this one as I've heard from others that the practice exams and the real ones were noticably different in difficulty. I got 93% on the one practice exam I took a few nights before. This was the first time where I did worse on the real exam compared to my practice version. However, there were some very good questions on both the practice and live exams that really made one pause and analyze the screen output. I felt these were the type of questions worthy of being on GIAC exams. There were a few which were way too obvious what the answer was, but overall the quality of questions seemed to have improved. Either that or web app stuff just really challenges me, even if it's first-grade level stuff.
Another thing to keep in mind is that in a few days (as of this writing), GIAC exams will no longer be done through Kryterion, but rather Pearson VUE.
I still think there is no substitute for actually "doing" the work and being able to demonstrate it. For this reason I think Offensive Security's approach to testing is much more realistic, although there's a place for SANS-style instruction. There's also an advanced version of 542 (642) which comes out soon:
https://www.sans.org/security-training/advanced-web-app-penetration-testing-ethical-hacking-5036-tid
Although I'm no pentester, I still think I got a good deal out of 542. Going through it hurt, but I somehow made it. It took quite a bit of mind-numbing persistence to stay focused as a lot of the material didn't click naturally for me, but that's just a shortcoming I have to deal with. For the moment, I'm really, really SANS / GIACed out. This is my fifth GIAC cert and instead of going for another cert, I need to read normal infosec books and spend more time applying knowledge that I've learned in all these courses. Otherwise it's going to evaporate quickly.
To start off, I have no development background. I don't write JavaScript, Python, or PHP for a living in any capacity. I knew this would be a hindrance going in, but I have to face the music at some point in my career. I also don't have a web-layer mindset as I'm still very much more used to the packet-level, thinking in terms of addresses, ports, layer 4 headers, etc.. I figured this course would be a good stretch for me. The only thing in my background that would be of any help is some understanding of HTML from building my small websites over a decade ago.
542 follows a pentesting methodology: recon, mapping, discovery, and exploitation. There are lots of tools and lab exercises throughout the class. The instructor (Kevin Johnson) used SamuraiWTF as the basis for the lab work. He's one who created SamuraiWTF after all, so who better to present the material. The OnDemand course I took had lots of his stories, opinions, anecdotes, as well as the usual drinking-from-a-firehose flood of information one would expect from any SANS course. There's a lot to absorb and if you come from a network infrastructure role like I do, it can get pretty overwhelming.
I typically go through a SANS course within a few weeks and follow-up on the GIAC exam a month later. In my current job, I have much less time to devote to continuing education so it took me practically the entire four months of my available OnDemand time to get through it, plus prepare for the exam. And for someone like me who isn't used to thinking in terms of HTTP, AJAX, database queries, and web services, it was painful. I must have listened to the MP3 sets at least four times through during my commutes and it still wasn't sinking in as much as I wanted it to.
The course touches upon scripting languages such as JavaScript, Python, and PHP so one can recognize the basic structure when looking at page sources or examining content through an interception proxy. While I believe this is a crucial / mandatory skill for a web app pentester, 542 doesn't really expect you to become a developer or even a competent scripter from this class alone. It's not intended to make you a coder.
The class did open my eyes to and clarify many aspects of web applications which were either previously vague for me or unknown, such as SOAP, JSON, AJAX, Flash / ActionScript, same origin policy, etc.. My understanding on these areas are more refined now and if I'm at another con where people are talking about them, I'll at least have some idea of the conversation context.
But this course will not turn anyone into a pentester overnight. If you're completely new to web security, you're not going to come out of the class ready to perform professional vulnerability assessments for clients. I just passed the GWAPT exam and even I wouldn't hire myself for such a job. However, I think the material in 542 is pretty solid and covers a wide range of topics which are important for knowing how to approach such work.
The exam itself was the newer 2-hour, 75-question format. Unlike previous GIAC exams that I've taken, many of the questions in the new format will require some thought and analysis to answer correctly. There are a few which you could reference in the course materials, but a lot of them require the examinee to put together adjacent learned-subjects to formulate the right path. This is a welcome change.
Another change in the new format is that the counter representing questions answered correctly / incorrectly are only updated every fifteen questions, unlike previously where it updated after every question, forcing someone like me to keep a hawk-eye to check my progress after every answer submission to gauge my exam survival rate.
I finished the GWAPT exam in a little over an hour and I barely squeaked by the ninety-percent mark with a total of 90.67%. Before taking the exam, I had a strong feeling that I could easily fail this one as I've heard from others that the practice exams and the real ones were noticably different in difficulty. I got 93% on the one practice exam I took a few nights before. This was the first time where I did worse on the real exam compared to my practice version. However, there were some very good questions on both the practice and live exams that really made one pause and analyze the screen output. I felt these were the type of questions worthy of being on GIAC exams. There were a few which were way too obvious what the answer was, but overall the quality of questions seemed to have improved. Either that or web app stuff just really challenges me, even if it's first-grade level stuff.
Another thing to keep in mind is that in a few days (as of this writing), GIAC exams will no longer be done through Kryterion, but rather Pearson VUE.
I still think there is no substitute for actually "doing" the work and being able to demonstrate it. For this reason I think Offensive Security's approach to testing is much more realistic, although there's a place for SANS-style instruction. There's also an advanced version of 542 (642) which comes out soon:
https://www.sans.org/security-training/advanced-web-app-penetration-testing-ethical-hacking-5036-tid
Although I'm no pentester, I still think I got a good deal out of 542. Going through it hurt, but I somehow made it. It took quite a bit of mind-numbing persistence to stay focused as a lot of the material didn't click naturally for me, but that's just a shortcoming I have to deal with. For the moment, I'm really, really SANS / GIACed out. This is my fifth GIAC cert and instead of going for another cert, I need to read normal infosec books and spend more time applying knowledge that I've learned in all these courses. Otherwise it's going to evaporate quickly.
Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
Comments
And don't cut out on SANS now! Having the GSEC, GCFW, GCIA, GCIH, GWAPT now qualifies you to go for the GSE. This is exactly what you need to put what you have learned into practice!
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
I'm actually in a position in a company that allows me to explore the subjects I've been studying these last couple of years for practical hands-on experience. It's just a matter of time management to be able to get things done. That's probably the best way to prepare for an eventual GSE attempt. I'd sure like to just have all my GIAC certs renewed with just a GSE pass, but that exam looks quite insane. If I could achieve both a GSE and a CCIE, my resume would start glowing. Whether if it means I can actually deliver in the real world after I experience a mental meltdown from all those years studying constantly, that's another story altogether...
By the way, it previously took several days for the certification to be listed under your name on the GIAC website. After I passed the GWAPT exam, it was there on the same day ... perhaps within the same hour. Looks like they streamlined the process on the back end.
For me, it was also knowing that if I fail the exam, I'd have to shell out another $500 to try again (or whatever the re-take cost is). That feeling in the back of my mind doesn't help either.
The score only gets updated every 15 questions. It used to be every question.
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
https://www.sans.org/security-training/advanced-penetration-testing-exploits-ethical-hacking-1517-mid
https://www.sans.org/security-training/advanced-web-app-penetration-testing-ethical-hacking-1641-mid
Most of the "advanced" GIAC certs are specialized.
Thank you. I passed with a 97.33%. I am still trying to decide if I thought if the exam was difficult. Mentally, I was having a hard time with the exam being openbook and my lack of experience with CBT's. I am very used to a technique of taking exams where I would markup and go back to review so it threw me off.
As for my background, I have over 20 years of IT experience. My skillset can be characterized as being a generalist and for most of the past 10-15 years,I have been in management or leadership roles so I dont get the opportunity for much hands-on work. Most of my recent roles have been in risk and infosec.
I suspect that because I do have a software engineering background that the made it easier for me.
Any one around that's taken the 542 course (and the exam) along with having passed the CISSP? comparisons you'd like to share? I'm thinking the GWAPT is probably more technically oriented than the overall general questions you get in a CISSP exam.
I personally did not find the GWAPT more or less challenging exam. To be honest, I felt that the exam was setup so that it is almost impossible to fail if you are reasonably prepared. To me, the GWAPT was about the same in technically difficult as the CISSP.
As I recall, the CISSP was a lot more mentally challenging for me because of the breath of topics and the sheer length of the exam. The GWAPT was a breeze in comparison.
In the case that is not possible to find the official books, what others books should i read to prepare the GWAPT exam?
Thanks in advance!
Forum Admin at www.techexams.net
--
LinkedIn: www.linkedin.com/in/jamesdmurray
Twitter: www.twitter.com/jdmurray
Regards,