OSCP Worthy For Non Pentester?

Hello,

I am not interested in EVER being a pen tester. Do you think the OSCP is still worthy for someone that would like a good long career in Cyber Security? Sometimes I wonder if understanding how to actually hack helps you in other roles such as GRC, management, defense etc.

Also, does the study material/curriculum have anything about fuzz testing? I am involved with a start up and looks like they may expect me to do this for their apps.

Thanks!

Find more posts tagged with

Comments

Higgsx

ZzBloopzZ wrote: »

Hello,

I am not interested in EVER being a pen tester. Do you think the OSCP is still worthy for someone that would like a good paying career in Cyber Security? Sometimes I wonder if understanding how to actually hack helps you in other roles such as GRC, management, defense etc.

Also, does the study material/curriculum have anything about fuzz testing? I am involved with a start up and looks like they may expect me to do this for their apps.

Thanks!

No. OSCP is very difficult for those who aren't pentesters. OSCP is very good certification but is not intended for beginners. It is very difficult even for average pentesters.
You should check out eLearnSecurity's eJPT and then eCPPT. They are similar to OSCP but easy version.

ZzBloopzZ

Higgsx wrote: »

No. OSCP is very difficult for those who aren't pentesters. OSCP is very good certification but is not intended for beginners. It is very difficult even for average pentesters.
You should check out eLearnSecurity's eJPT and then eCPPT. They are similar to OSCP but easy version.

Thanks for the quick response. eJPT and then eCPPT have zero results on Indeed for the DC Area. I have heard of people doing OSCP in 30 days... wonder if I could do it in 60. I did CISSP in 30 days but tend to pick up hands on stuff much quicker.

Sheiko37

It might be, it might not be, your question is too vague. What "career in Cyber Security"? What positions have you had, what do you want to move into?

does the study material/curriculum have anything about fuzz testing?

https://www.offensive-security.com/documentation/penetration-testing-with-kali.pdf

I have heard of people doing OSCP in 30 days... wonder if I could do it in 60. I did CISSP in 30 days but tend to pick up hands on stuff much quicker.

The people passing it in 30 days are usually experienced penetration testers. Do you have any experience with Kali Linux? Do you mind learning everything on your own? The PWK material covers maybe 10% of the knowledge required to succeed in the lab and pass the exam.

Higgsx

ZzBloopzZ wrote: »

Thanks for the quick response. eJPT and then eCPPT have zero results on Indeed for the DC Area. I have heard of people doing OSCP in 30 days... wonder if I could do it in 60. I did CISSP in 30 days but tend to pick up hands on stuff much quicker.

I haven't took OSCP but I heard people saying about it all over the world that it is difficult and if you haven't experience it'll be extremely difficult. I personally think that people who passed OSCP exam already had have experience in pentesting. OSCP is very good yes and it is my next certification and before that I'm going to read books on pentesting,do the labs I'll build and so on.

CISSP and OSCP is very different. Of course you can take OSCP but if I were you I wouldn't take OSCP at this point. I would read books do labs and then OSCP.
if you want little faster you can take eCPPT. It is not bad, it's also good but little easier that OSCP.

towentum

To quote what others have said, and as a current OSCP student with no prior pentesting experience, but many years in IT...Don't do the OSCP. If you just want to know tools and processes hackers use, do the CEH or some other cert. If you have no interest in pentesting, you'll waste your time and money in the OSCP as it's very much about passion to learn this stuff.

While it's not terribly difficult if you have the right mindset, it will test you mentally.

ZzBloopzZ

Sheiko37 wrote: »

It might be, it might not be, your question is too vague. What "career in Cyber Security"? What positions have you had, what do you want to move into?

I was a Computer Analyst in my last role where I did little bit of everything. Security related was Incident Response/containment, security scans, server hardening, creating baselines, patch management, change management, creating SOP's, training etc.

Currently a Systems Security Engineer where I pretty much do everything Security related, a one man show at the moment. Still debating where I want to go honestly whatever would give me a better chance of 100% remote work with not much stress.

bigdogz

As you know you have to change your mindset. Red team. How can I get into a host? Finding more than one way to get in because you may need to use multiple methods. Will it help you with being a Blue team person, yes.
I am in the process of signing up after I finish a couple of certs. From what I heard it is hardcore and can be frustrating, because unlike the eLearnsecurity certs, you are on your own and its understood that the student has some knowledge / understanding of programming. You have to know how to think like a hacker.
I know some of my buddies that have this cert and are pen testers. I do not know of others in the InfoSec field that have an OSCP and do not pen test as a full time position.
If you get this certification, understand that you may just perform pen testing and maybe some forensics. Not really Management or GRC. Defense....if you are talking DoD then you may not have luck and just go for the CISSP, CASP and other certs that are DoD compliant. If you mean Defense in Depth, this is just a Best Practice when creating an environment / infrastructure.

Good Luck!!!

beads

@ZzbloopzZ;

Don't tell a soul that you found some mythic work at home position with little stress. Too many people will come after your position. Seen a few low travel positions around but rarely a full remote.

- b/eads

bigdogz

Yeah, the remote positions are rare but the stress is relative. You have to perform and report to management your findings. The reporting is not the sexiest part of the job, but it's very important.

ZzBloopzZ

Thanks for the responses. I have been doing lots of research and realized OSCP is not for me right now. However, I am opening up more and more to the EJPT. I learned a bit while studying for the CEH but just wish it dove a little deeper and with more real-world and modern tools. The more I research, the more it seems that the EJPT will satisfy that thirst. Then afterwards perhaps get a cert in a different area.

UnixGuy

I was just going to recommend eJPT for you. Great introduction to Pentesting, and you get to play with different tools. Reasonable price and doesn't need too much time.

ZzBloopzZ

UnixGuy wrote: »

I was just going to recommend eJPT for you. Great introduction to Pentesting, and you get to play with different tools. Reasonable price and doesn't need too much time.

Thanks, how much time do you think if I did it 5-6 hours/day and 10 -12 hours over the weekend? Thanks!

UnixGuy

Everyone is different, but roughly speaking, you should finished it super quick if you do that. Just start and see how you go

ITSpectre

ZzBloopzZ wrote: »

I am not interested in EVER being a pen tester. Do you think the OSCP is still worthy for someone that would like a good long career in Cyber Security?

No. There is no need to even bother with the OSCP because that is what the certification is. If you have no interest in being a pen tester then you can take the CISSP, CAP, CCNA security or another cert.

With the OSCP is ONLY deals with pen testing, hacking, using tools such as metasploit nmap, nessus etc.... This is the hands on cert for someone that wants to soldify their expertise in pen testing. Keep in mind though you may just take the cert and end up liking it.... some people that are in IT now it was not their FIRST choice.

Give it a try.... never say never, because you may just be a pen tester after all.

ITSpectre

Personally speaking....

I think you should try pen testing. The reason I say this is because you really cannot rule something out that you have not tried yet. That is saying "Well I dont eat broccoli" but you have never tried it. Take the eJPT for now and quench your thirst....and then go from there.

I think the pen testing fairy will visit......

In the end its better to have tried it and not liked it, then to have never tried it at all.....

doctorlexus

ITSpectre wrote: »

I think the pen testing fairy will visit......

I'm picturing Trinity from The Matrix, but with wings.

ZzBloopzZ

ITSpectre wrote: »

Personally speaking....

I think you should try pen testing. The reason I say this is because you really cannot rule something out that you have not tried yet. That is saying "Well I dont eat broccoli" but you have never tried it. Take the eJPT for now and quench your thirst....and then go from there.

I think the pen testing fairy will visit......

In the end its better to have tried it and not liked it, then to have never tried it at all.....

First of all, thank you for sharing a unique and open minded viewpoint. It was refreshing to read.

The reason I don't want to go deeper into pen testing is because I feel that there is not much human element to it. I enjoy communicating with people even if it's just through phone/email etc. Figured pen testing is mostly technical where you do the pen test and then write a report. Besides social engineering testing :c) Is my notion of pen testing incorrect?

ITSpectre

ZzBloopzZ wrote: »

First of all, thank you for sharing a unique and open minded viewpoint. It was refreshing to read.

The reason I don't want to go deeper into pen testing is because I feel that there is not much human element to it. I enjoy communicating with people even if it's just through phone/email etc. Figured pen testing is mostly technical where you do the pen test and then write a report. Besides social engineering testing :c) Is my notion of pen testing incorrect?

I will be honest with you.... the more you have the human element the LESS you want the human element at work...Pen testing has a human element but yes its about writing reports.... the further up the chain you go, the less human element you have. You have more meetings, emails, duties.... the help desk has the most human element.

ZzBloopzZ

ITSpectre wrote: »

the further up the chain you go, the less human element you have. You have more meetings, emails, duties.... the help desk has the most human element.

I will have to disagree with this. My last job I was mid management but interacted with customers daily that were at various levels... from the bottom to the absolute top. I enjoyed the interactions just that Government employee's are not the brightest in my experience (generalization). I enjoy cyber security just trying to figure out what area I should become a master in. :c)

dmaketas

Taking from someone that is more or less in the same position as you. I will never be a pen tester, I am more of security architect, GRC guy.
But I have completed the eJPT, since it provides me with a basic understanding of pentesting, modus operandi, tools, etc.

OSCP I believe it would be an overkill for myself since I have to invest heavily in order to make it through and honestly I don't see the point. On the other hand eCCPT I would like to do it at some point in the future, more for personal knowledge and nothing more.

rex0r

ZzBloopzZ wrote: »

First of all, thank you for sharing a unique and open minded viewpoint. It was refreshing to read.

The reason I don't want to go deeper into pen testing is because I feel that there is not much human element to it. I enjoy communicating with people even if it's just through phone/email etc. Figured pen testing is mostly technical where you do the pen test and then write a report. Besides social engineering testing :c) Is my notion of pen testing incorrect?

You should read Kevin Mitnick's book, Ghost in the Wires. You'll learn that social engineering can be the only tool you need to get all the access. Plus its an entertaining and educating read.

mokaz

Higgsx wrote: »

No. OSCP is very difficult for those who aren't pentesters. OSCP is very good certification but is not intended for beginners. It is very difficult even for average pentesters.
You should check out eLearnSecurity's eJPT and then eCPPT. They are similar to OSCP but easy version.

I'll have to disagree with this, if you're going for something than go for the real thing. I've had no pentesting skills before enrolling the OSCP, or well barely a few, but again this is exactly WHY there is a lab at your disposal and honestly at a super price. There ain't no rush, do it at your pace, if you need 6 months its perfectly fine, even a year who cares...

If you'll just ask me, i'd directly go for the OSCP just for a couple of reasons, 1st once you've done it you'll be very proud of yourself and 2nd it does not expire and that, is a massive statement about what the OSCP is indeed.

chrisone

ZzBloopzZ wrote: »

Hello,

I am not interested in EVER being a pen tester. Do you think the OSCP is still worthy for someone that would like a good long career in Cyber Security?

Why would you cause your body so much pain? seriously you are in a world of hurt just going through with this cert only to not truly benefit from it.

Its like someone training for a fight and sparing x amount of rounds and never having a fight. The journey is a serious struggle on its own.

GirlyGirl

mokaz wrote: »

I'll have to disagree with this, if you're going for something than go for the real thing. I've had no pentesting skills before enrolling the OSCP, or well barely a few, but again this is exactly WHY there is a lab at your disposal and honestly at a super price. There ain't no rush, do it at your pace, if you need 6 months its perfectly fine, even a year who cares...

If you'll just ask me, i'd directly go for the OSCP just for a couple of reasons, 1st once you've done it you'll be very proud of yourself and 2nd it does not expire and that, is a massive statement about what the OSCP is indeed.

I don't login much but when I do it's worth it. I honestly agree with you. I think depending on your yearly salary you are 100% correct. I agree and I don't say that everyday. To me spending $1,150 for 90 days and then extending for 90 more days for $600.00 for a total of $1,750 for a 6 month period is really not a lot of money ( to me anyways). Even if you add 90 more days for a total of $2350 gives you 9 months to pass a test. Personally in 9 months and less than 3k out of pocket I don't see with the time and determination why it can't be done. As of today August 17, 2016 I don't think it's anything I can't learn in 9 months dedicating the enormous amount of time necessary. It's enough "hints" on TechExams and resources around that I think it possible.

My opinion really does not matter. It was just a thought.

Paolo264

ZzBloopzZ wrote: »

Hello,

I am not interested in EVER being a pen tester. Do you think the OSCP is still worthy for someone that would like a good long career in Cyber Security? Sometimes I wonder if understanding how to actually hack helps you in other roles such as GRC, management, defense etc.

Also, does the study material/curriculum have anything about fuzz testing? I am involved with a start up and looks like they may expect me to do this for their apps.

Thanks!

I'm not a pentester either and never will be although I do work in Information Security.

For me, I want to complete the exam from a personal achievement perspective. Additionally, having a greater understanding of pentesting techniques would be highly beneficial.