Tuesday, 29 May 2012

On certifications...

As you probably guessed it if you read this post, I'm not a big fan of certifications... In this post, I will provide more details on why...

As a disclaimer, I didn't try to get any of this exams, I however read some of the courses ...

There is a lot of certifications in the security market: CISSP, CEH, ISO27001 lead auditor,   ISO27001 lead implementer, GIAC, CREST, ... When I think about that, I have a mental image of a cow (with Security written on it) getting milked by people in suits (all this people have one of this certification's name in their back) ... It's basically what the current market of certifications is in my opinion...

As an opener, this is a little story someone told me: one of this certifications' shop was offering a new certification for free and without any work or exams to some people already certified by this shop but for another certification (selected for their experience obviously). This was just done to bootstrap the new certifications and give it some value ("X people are already B.L.A.H certified, what are you waiting for...")

First, the CISSP, I think the CISSP is a good certification if you want to prove that you have a basic understanding of security. It's kind of like when you want to go kayaking you need a paper saying that you can swim 50 meters... it doesn't really show that you will be able to swim in open water or in strong current, but it shows that you won't drown in less than a minute. The most annoying thing about CISSP is people putting it in their name on LinkedIn or in their emails signature, it's not a PHD or something you need a lot of work to get so please remove it from your name. Some people are even bragging "I know security, I'm a CISSP" to people who really understand security... It just doesn't work that way, are you going to tell a professional swimmer that you have your "I can swim 50 meters" certificate? 

I have mix-feeling about CSSLP, it has been created by ISC2 (like the CISSP) but the content actually seems better and more practical. Even if their marketing is terrible "you will be seen as a leader in your organization":


I quickly read the course book, and I think it's a good introduction to SDLC. However it's not really known or used.

C.E.H. has probably the worst value in my opinion, not that the certification is completely bad (I had some inside on their exam), but because of a lot of people passing them and thinking they know everything about security/hacking because they run msf few times and exploit a SQLi using SQLmap... and let face it the name is intrinsically wrong. There is however some really good people who started with this certification and manage to get really good. If you're CEH, see this certification as a starting point and a quick introduction to security, all the work is still to be done.

In Australia, people started talking about CREST one or two years ago. CREST seems above other technical certifications and is really hard to get. The exam is hard and you don't have internet access (which seems a bit unreasonable)... So you need to have everything on you and be ready with even old exploits in case you see really old systems. There are 2 reasons for the no internet access: you won't be able to leak their exams and you won't get help. That seems fair but is really far from the pentest reality. There is some weird thing about CREST that I however still don't get, if you look at the Member Companies,  and scroll down to "Thales UK Ltd" or "Security Alliance - Paladion / Plynt", you can see that they are listed without any "Certified Application Test Consultants", "Certified Infrastructure Test Consultants" or "CRT Qualified Consultants". I think this is confusing and may lead to mistakes for someone doing a (too) quick check on the website. Finally, the format of the certification is not really easy for small pentest boutiques and it's more likely to help 30+ people pentest shops than small businesses as skills differentiators.

I won't even talk about /ISO-2700\d/ certification since they have nothing to do with pentesting. I guess it's just another world...

Now let's kill one pro-certification argument...
Pro-certification people often argue that you won't get surgery from a non-certified doctor, or electricity from a non certified electrician. This argument is fundamentally wrong. Firstly, being a doctor requires far more than a one day exam... it's a lot of studying and practicing, nothing the security industry can relate to. Secondly, certified electricians are not used because they are better, they are used because insurance companies force people to... I'm pretty sure people with a real passion for electronic and renovation but not certified will do a better work than most of the certified electrician.

Now what is the solution ? No certification, probably not... the security industry is a market for lemons. I think certifications are just something you have or don't have and just mean that you spend one week working on an exam. Nothing more, nothing less... It's just one more line in your resume. Certifications should be seen as the starting point of something and not a goal. However as said before, I often see them as a negative point (especially for people collecting them), since they are currently used to show your knowledge and not just to show your interest/passion.

As a pentester, if I had one week to skill up, I will probably go for:
  • a training at a security conference;
  • a security conference (for talks and to meet people);
  • a week working on a security project;
  • a programming course.
 You will probably get far more value out of these, however you won't be able to hang these in your living room.





No comments: