SANS / EC-Council paths?

Arod95Arod95 Member Posts: 216 ■■■□□□□□□□
Looking at both websites I've noticed each company has a some what similar path of certs when it comes to becoming a pen tester

ENSA->CEH->ECSA->ECIH->LPT (ec-council)

GSEC->GCIA->GCIH->GPEN->GXPN (Sans)

I know SANS probably goes more in-depth, and is more updated but I just want to know if I would be wasting my time going through EC-Council's path compared to SANS? If so I'll probably skip ENSA, and only take CEH for into the pen testing tools, and then just do SANS path along with OSCP. Plus I like the fact SANS has more concentrated certs as well. Like the web pentesting, and Wireless security I think.

Comments

  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    I don't hold any EC-Council certs and have only gone through CHFI training a long time ago, but SANS is probably a lot better for overall security training and the GIAC certs are probably better received from the perspective of knowledgable security professionals, although Human Resources departments may not know better. Offensive Security is very good for penetration testing and much more affordable, although overall coverage of security subjects may not be the same. Apples to oranges though.

    If you're of the proper pentester mindset, I'm sure you've read through the many threads here about the actual credibility of security certifications as a whole, however.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Arod95Arod95 Member Posts: 216 ■■■□□□□□□□
    @docrice thanks for the reply I'm not so sure what you meant though by that last part. I have read a lot of threads here about security certs, but I'm not quite sure what you mean.
  • docricedocrice Member Posts: 1,706 ■■■■■■■■■■
    Security training is quite the constant necessity in the security field. The certifications, however, isn't very telling that someone is actually competent in the subject matter. InfoSec can be a very involved subject with tons of minutia which must be juggled and re-juggled day-in, day-out.

    Many industry professionals don't care about someone's certifications because in the real-world, it's all about the amount of practice, commitment, focus, determination, attitude, open-mindedness, and objectivity which builds the skill and talent. Taking training and studying for the certifications help encompass the subject somewhat and provides a starting point, but answering a bunch of multiple-choice questions is only an indicator of interest from a resume evaluation point of view.

    I'm one of those who perceives certifications this way. I have a lot of them. I probably will continue to get more in the future (because I find it an enjoyable experience and I'd rather do this than go sit on a beach during vacation). But I'm very aware that they don't necessarily mean I can do a given job. Knowing which buttons to push is a lot different from being able to distill a working ecosystem down to its atomic level and seeing the parts in the working machinery and then figuring out what can/did go wrong.

    Honing a good mindset is extremely important. To be a good security professional, you have to be able to pivot your viewpoint to the perspective of individuals who want to take advantage of a system beyond legitimate expectations. There's also a lot of maintenance involved in keeping up with news, trends, tools, techniques, and so on. Burnout is pretty much a given. Resiliency is an unstated job requirement. There's a lot of pressure all around. Change is constant.

    As someone who lives and breathes this stuff every day, I think achieving certifications is fine, but there has been a tendency by a few people to think having certs qualifies them for something. In some cases it partially does, such as when a consulting firm wants that paper-credibility to satisfy some business/customer-facing requirement.

    The technical validation that a security certification supposedly brings can be less meaningful than suggested by certification and training vendors. Doing security is not just about working the tools, but also weighing the organization requirements, policy, resource limitations, actual risk relative to the function of the business, and so on and being able to create an appropriate balance between these needs. This understanding takes time to culminate and to integrate into the larger picture what technical training brought to the table.

    I stand here as a solid example of a paper-tiger. It looks good on a resume. It seems impressive on LinkedIn. Would I hire myself to do some of the work that I'm certified in? Hmm, probably not. So certifications are fun way to start and continue your journey, but I just want to make sure that you understand that it probably proves less than you think it does.
    Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/
  • Arod95Arod95 Member Posts: 216 ■■■□□□□□□□
    No I completely understand when I gain certifications I don't think that proves I know how to do everything. I think of them as stepping stone to understanding a subject better. I feel as though experience hands on at a job or through day to day experience is the only thing that will determine if I how to really do something. knowing something in theory and knowing how to actually do it, and have done it are two different things to me. I think they look great on a resume but I don't think it's going to land me a job. I'll it will help get noticed but not give me a guarantee. so I do understand what you mean. I go for certifications mostly, because it proves to myself I know the concept of something enough to go to the next level to actually start practicing on my own time. Thank you again for the reply docrice.
Sign In or Register to comment.