New practical labs + certification(?)

Hi folks, I'd like to share a free resource for interactive lab-based lessons:
https://ex.whitehat.academy

You get access to real servers and web apps to exploit, available in-browser without any time spent setting up VMs.

We're just getting started, so there's a smattering of content so far, but we plan to build out a full course track around web app security specifically. I welcome any feedback on what you'd like to see!

Re: certification(?), we're wondering if it would make sense to offer a new exam as soon as we've built out a full course track, or if it would be better to wait and establish the content. In other words, would you be interested in taking a hands-on, practical certification for a reasonably low price to prove the skills you've acquired, even if the cert did not yet have wide industry recognition, or is your main reason for taking an exam to get employer recognition?

My hope is that brand recognition can come naturally from offering great content, but I think we all recognize that the quality of a company's training doesn't always correlate with the quality of employer marketing efforts... So, just wanted to get a feel for where we should focus our initial efforts - helping you learn real, practical skills, and/or letting employers know what we're about!

Find more posts tagged with

Comments

SaSkiller

On the question of certification, Honestly you are competing against heavy hitters in this area. The problem is not a lack of certification vendors, but quality, reasonably priced training vendors

fheisler

@SaSkiller agreed - there are tons of certs out there already, and a lot of very expensive options to show that you can memorize the right jargon... If it were based on an entirely practical exam (e.g. exploit real web apps and write up a report of your findings) at a reasonable price (maybe in the low hundreds), would that be of interest as a certification? (We're going to focus on creating great, affordable training for now regardless!)

EnderWiggin

I think once people have a strong enough skillset to be able to accomplish high-level hands-on tasks, they no longer care about certifications. They can easily just explain what they are capable of doing, they don't need a piece of paper saying they can do it. OSCP and OSCE are the only real anomalies there.

fheisler

@EnderWiggin I'm curious why those two are anomalies, though - because it's better material + a more practical exam than most certs, or because getting the OSCP/OSCE is the only real all-or-nothing way to prove you've mastered the knowledge in those courses?

katawia

@fheisler: I took the time to try the labs on the website tonight and sorry to say it's buggy!!! I already sent feedback to customer service via the chat. It's on the introduction to Python and the Debian system admin module....for now I think I'll stay away for a while. I captured one of the errors and can send it to you at your request.

yoba222

fheisler wrote: »

@EnderWiggin I'm curious why those two are anomalies, though - because it's better material + a more practical exam than most certs, or because getting the OSCP/OSCE is the only real all-or-nothing way to prove you've mastered the knowledge in those courses?

Offensive Security is the company that does OSCP/OSCE. They created Kali Linux. That statement alone I think speaks for itself.

fheisler

@katawia sorry you had some trouble with the lessons! I've replied already if you reached out on customer support, but just making sure here that you did so; the intro Python and sysadmin lessons are both working as intended, but might be confusing as currently written. Happy to follow up on any specifics here, in email or chat support.

katawia

fheisler wrote: »

@katawia sorry you had some trouble with the lessons! I've replied already if you reached out on customer support, but just making sure here that you did so; the intro Python and sysadmin lessons are both working as intended, but might be confusing as currently written. Happy to follow up on any specifics here, in email or chat support.

Thanks for the response. And yes you resolved the issues I had and for that I congratulate you. As I communicated in the email I gave the pros and cons of my assessment of the site. You are free to publish them on this forum and provide any updates.
Thanks for starting a potentially great site.

beads

yoba222 wrote: »

Offensive Security is the company that does OSCP/OSCE. They created Kali Linux. That statement alone I think speaks for itself.

So taking other peoples open source work, compiling and putting it, initially, on a CD and later a VM makes them worthy of what besides borrowing other peoples work and rebranding as original? Hardly. I was using many of the same progs well before Kali/Backtrack released there first CD let alone VM for pentesting.

Have they made a remarkable name for themselves? Yes, absolutely. Do I use the VM any more? No, absolutely not. I have the same tools or better readily at my disposal and often do. I still consistently find more and varied flaws than our required 3rd party assessors. Of course we still have to have a third party assessment for compliance reasons but by the time it gets to them - flaws are generally known or being worked on.

You get what you pay for whether the tool is a wrench or pentesting suite.

- b/eads

SaSkiller

fheisler wrote: »

@EnderWiggin I'm curious why those two are anomalies, though - because it's better material + a more practical exam than most certs, or because getting the OSCP/OSCE is the only real all-or-nothing way to prove you've mastered the knowledge in those courses?

Its about recognition and acceptance of the industry about what the hands on lab means. They are really the only vendor that has the name recognition as well as has a hands on lab that looks like it validates skills at a level that employers are looking for. From my personal experience GIAC will give you the book knowledge you need to pass the interview, but employers will either require a hands on assessment or will be looking for experience even for junior pentest positions, the OSCP is generally what consider as validation of that experience. I personally feel if I had it I would have gotten that internal pentest position I recently applied for. Boss said I did well on the interview, the team liked me, I have a buttload of security certs all around including GPEN. But I don't have the OSCP and i've never worked as a pentester. I don't think any other cert, practical or not would have helped (it should be noted I have the CPT which is hands-on as well).