GWAPT passed

Thanks for the synopsis. I found your comments useful.

Wow, it takes some courage to walk into an advanced, software-centric course knowing that you have no software development background. As you have shown, having first-hand experience with designing/implementing/debugging software isn't necessary for learning application pen testing, but it sure helps speed up the understanding of what you are learning. With that background, you would also better understand the mentality of your adversaries, who are definitely software developers.

And don't cut out on SANS now! Having the GSEC, GCFW, GCIA, GCIH, GWAPT now qualifies you to go for the GSE. This is exactly what you need to put what you have learned into practice!

While going through 542, I kept thinking to myself that if I only knew JavaScript better I could really understand the potential scope of exploitation that can be carried out. But if anything, a good takeaway is that all personal Internet web surfing should be done through an interception proxy. It's enlightening and educational.

I'm actually in a position in a company that allows me to explore the subjects I've been studying these last couple of years for practical hands-on experience. It's just a matter of time management to be able to get things done. That's probably the best way to prepare for an eventual GSE attempt. I'd sure like to just have all my GIAC certs renewed with just a GSE pass, but that exam looks quite insane. If I could achieve both a GSE and a CCIE, my resume would start glowing. Whether if it means I can actually deliver in the real world after I experience a mental meltdown from all those years studying constantly, that's another story altogether...

YuckTheFankees

Almost review Docrice. Of the 5 SANS certifications you have, which one did you enjoy the most?

My first gut-answer would be the GCIA, perhaps because I relate to that subject more than others. This would be closely followed by either the GCIH or GCFW.

By the way, it previously took several days for the certification to be listed under your name on the GIAC website. After I passed the GWAPT exam, it was there on the same day ... perhaps within the same hour. Looks like they streamlined the process on the back end.

YuckTheFankees

I hope to take my 1st SANS course this year but I have no idea which one I would want to do. GWAPT is automatically out of the running lol Web app stuff scares me a bit, knowing I've never done anything related to development.

ipchain

Congrats on the pass and thanks for the excellent review. I personally felt GWAPT (SANS 542) covered the basics, but the course lacked in content. I regret having bought the course and should have saved the money for SANS 642, but you live and learn.

I decided to sign up to take the exam this Saturday based on your review. I'm curious. How close to the real exam is the practice. I haven't taken a CBT exam before so I was wondering if the experience on the practice is the same. I also am leary because its open book.

In my personal experience, the real GIAC exams were pretty close to the practice versions. However, others have reported that the practice exams were very different (or felt easier). Perhaps sitting the real exam makes one self-conscious that "this is the real deal" and creates some degree of apprehension. Or maybe the question pool on the exams that I just happened to get ended up being similar to the practice versions. Who knows.

For me, it was also knowing that if I fail the exam, I'd have to shell out another $500 to try again (or whatever the re-take cost is). That feeling in the back of my mind doesn't help either.

Thanks. That's helpful to know. I'm aapprehensive about not knowing what it may be like. I would have preferred a simple paper based scantron. The realtime -time scoring and open-book concept is throwing me off.

Open book just means that you have opportunities to find some answers to some nit-picky questions (if there are any). In the past, there were questions that asked specific things such as (for example) command-line switches to tools. These days, a lot of the GIAC exams have half of the amount in both questions and time length to complete the exam ... but the individual questions themselves are more "cognitive." You'd have to fundamentally know the overall principles and core concepts of the material well enough to answer the question. The book reference is nice for some things, but there might be more analysis and thinking required.

The score only gets updated every 15 questions. It used to be every question.

laughing_man

Congrats!

I've taken the first practice exam for the GSEC, and while I think the format is fine, I'll be surprised if the actual exam items aren't a good deal more difficult. I expect practice exams to contain "teaching questions" designed to evaluate the knoweldge of the exam candidate, while the actual exam items are designed to be far more challenging. The major exception to this I've seen is where practice exams contain actual exam questions there were removed (obsoleted) from the exam pool.

Good luck with the GSEC. Not sure if the same methodology for question pool selection is the same as in the GWAPT. As it turns out I thought that the real exam was similar to the practice. This was the first CBT that I have ever taken - I found the scoring and inability to browse questions a bit disconcerting. But I guess thats what forward-progress is about

@docrice - thanks for helping set my expectations.

docrice wrote: »

The score only gets updated every 15 questions. It used to be every question.

The is probably because GIAC realized that that indicating (in)correct answer selection on every exam item only helps the people attempting to memorize the questions to make ****. I still don't understand why they think they need to display the score tally during the exam. It's like an added distraction to increase the level of difficultly by psyching-out the exam candidate. I may just bring a yellow sticky note to cover that part of the screen during my exam.

Oh - that makes more sense - I thought maybe it was GIAC's way of competing with ISC2 and ISACA to see which organization could generate more anxiety for their candidates. Whereas - ISC2 and ISACA makes you wait 6 weeks, my theory was that it was one-upsmanship and GIAC was trying to give results every 15 questions to as you put it - "psyche out" the exam taker.

I'm assuming you passed the GWAPT, in which case a congratulations is in order. How did you gauge the difficulty of the exam and what was your previous background and / or experience in the subject matter?

guyfawkes101

Many congrats on passing the course. Can you elaborate and provide your thoughts on GCED / GPEN courses as well. I have extensive experience in both network and app side of pen testing but I am looking to do one GIAC cert which covers advanced general aspects of info sec. I found description of GCED appealing to what I had like to get although it doesn't seem to be much popular.

I definitely don't hear much about the GCED. If your pentesting experience is on the advanced level, I believe SANS has a course offering that's beyond 560 and 542:

https://www.sans.org/security-training/advanced-penetration-testing-exploits-ethical-hacking-1517-mid

https://www.sans.org/security-training/advanced-web-app-penetration-testing-ethical-hacking-1641-mid

Most of the "advanced" GIAC certs are specialized.

docrice wrote: »

I'm assuming you passed the GWAPT, in which case a congratulations is in order. How did you gauge the difficulty of the exam and what was your previous background and / or experience in the subject matter?

Thank you. I passed with a 97.33%. I am still trying to decide if I thought if the exam was difficult. Mentally, I was having a hard time with the exam being openbook and my lack of experience with CBT's. I am very used to a technique of taking exams where I would markup and go back to review so it threw me off.

As for my background, I have over 20 years of IT experience. My skillset can be characterized as being a generalist and for most of the past 10-15 years,I have been in management or leadership roles so I dont get the opportunity for much hands-on work. Most of my recent roles have been in risk and infosec.

I suspect that because I do have a software engineering background that the made it easier for me.

That's a very strong score indeed. Can't get much better than that. Maybe you missed one question out of the whole exam. I'm pretty sure your software engineering experience helped a lot in terms of understanding the logic involved in looking at web applications.

I2Secure

Nice Post ,,,, i will be also preparing same

holysheetman

bringing this thread back to life.

Any one around that's taken the 542 course (and the exam) along with having passed the CISSP? comparisons you'd like to share? I'm thinking the GWAPT is probably more technically oriented than the overall general questions you get in a CISSP exam.

I would be interested to hear comparisons as well.

I personally did not find the GWAPT more or less challenging exam. To be honest, I felt that the exam was setup so that it is almost impossible to fail if you are reasonably prepared. To me, the GWAPT was about the same in technically difficult as the CISSP.

As I recall, the CISSP was a lot more mentally challenging for me because of the breath of topics and the sheer length of the exam. The GWAPT was a breeze in comparison.

McFly

Hi, i need some help from any person....i´m trying to get the GWAPT certification, but the cost of the official books is too high for me...Is there any possibility to get the GWAPT official books from Internet? I only saw the AudioBook file available on the Internet.....

In the case that is not possible to find the official books, what others books should i read to prepare the GWAPT exam?

Thanks in advance!