On the site cccure.org there are some test for CISSP. I found the one with a medium and less level that are the level of Security+.

If you only want to pass the exam do the crams, but if you want to understand... study 

I found that Sec+ covers half of the study for CISSP so this can be your next move.

Good Luck!

Very interesting articles.

Thanks!

Thank you for the videos!

We really appreciate that you take the time to share your knowledge/experience with us.


Also, if it is possible, it will be preferable to comment (voice instead of music) what you are doing.

Thanks again!

I had the pleasure to participate to this conference.
I only have good words about it. Everything was perfect: the place (a nice club), organisation, the speakers and the audience.
Giving the fact that we were inside a club, and only around 100 participants, the atmosphere was very intimate and the presentations had sometimes the form of public discutions.

In the first day the presentations covered general security subjects. The speakers had a lot of humour and they tried to get the audience involved.
In the second day the subjects were a little bit more technical, but the speakers tried to keep them general enough in order not to lose any of the participants (some of them were very tired after the 1st day party  )

For me it was an excellent opportunity to meet interesting people (I have met H1t M0nk3y which I only knew from this forum). I also discovered that I am not paranoid when it comes to security, and that there are others that have the same problems as I do.

Thank you very much to the wonderful people that made this conference possible!

I would definitely recommend the web part for the novice students (as I was). The course is taking you from the beginning and it teaches you a lot. Each chapter contains theory and then the tools that help you automate the attacks.
The videos of the tools are very useful, too.
This course opened a new world for me, in an easy way. I will try to continue the exploration by myself, but it is always easier when you have a “master” that points you on the good direction.

I only received a pdf that it is a diploma. I don't know if I'll receive a printed one.


I waited a month until I had an answer. Initially they asked me to redo the report, because it didn't look so good (I made it in one day so..). Also, I had put the wrong names for some vulnerabilities, plus I went a little further than the scope of the test, so I had to remove a find.
These comments made me think that he really looked very carefull at my report.

So, I had a week to redo the formatting of the report, not to redo the test. If my refined report wasn't good enough in terms of findings I would had to redo the test, but it was good enough to receive the certification.
I really appreciated this, and I am sure that Armando is extremely busy.

Good luck and be patient.

I just got the results today from the exam, so from now on I am an eCPPT!

I really liked the course. It is very well structured, and a very important advantage is that you can access it any time.

Now I am doing some checks for work and I use the course as a guide for the most important steps. I recommend following the course multiple times, because there is so much information so you can't digest it in a single shot.

I just wait for the new course they will produce (supposed to be an advanced one).

I found this course to take you from the novice to an intermediate level for the web application part, and this is what I wanted. The other two modules are at an intermediate level.

THANK YOU VERY MUCH!

I am analyzing your list, and I will see what I will propose (maybe next week).

I think I wasn't specific enough with my list. For each category only the fist element is chosen; the others are just to do an analysis of the available products.

Anyway, my company will not invest so much money in vulnerability management. Also, it will be very difficult to convince them to buy Canvas or Core Impact. I need an excellent business case for this.

Lucian

Hello guys,

I need your help in choosing some security tools. We will improve our security program and I have to propose some vulnerability scanning / penetration testing tools that we will buy.
Our network has around 3000 active IPs, and we have almost 40 IPs in the DMZ.
 I have thought about some tools, and I should provide my managers some reasons why I did choose a particular one (for example in category Networks scanners I chose Nessus, and I can justify this on a Forrester research). Here are my categories and my picks:

Network scanning:
1.   Nessus (cheaper ~ 3600$ for 3 licenses, very good product, and we already have it)
2.   Nexpose (very good but will cost us 40.000$ /year)
3.   Qualys

Database vulnerability scanners
1.   DB Audit – good reviews; 4500$ for 10 servers
2.   Appdetective – more expensive
3.   Pangolin – amazing SQL injection tool. It costs 2000$ and maybe I will convince them to buy it together with DB Audit

Web application
1.   Burpsuite pro – 225$ plus Accunetix – 5000$
2.   Webinspect – 6000$
3.   Appscan – 15.000$

Penetration testing
1.   Core impact – 20.000$ plus Metasploit framework
2.   Metasploit express – 3000$
3.   Saint exploit – 20.000$ ?

Besides this we will use some open source tools, but we need also good commercial tools (management get excited about support  )

If I miss some categories please tell me.
So, I would like hear your suggestions and opinions.
Thanks!

I realy understand your feelings.
I my company we have a team, we have some tools (and we will buy more) but our direct manager (which is not technical at all, and he is comming from mainframe via cobit implementation) is stopping us (mostly me) to do our jobs.
I understand the reason why the guys from the operations don't want me to do Nessus scans using credentials, but the fact that my boss agrees to any stupid reason drives me crazy  . I even thought to move.

Anyway, I will be more patient and I will try to sell my ideas to the upper mgmt.
In another hand, a friend of mine works for a big company and he told me that they have no problems having operations implementing their demands. It seems that he's company had been hacked in the past and now security became extremely important.

@H1t M0nk3y  Be happy that you are not the only security guy in the company. If you'll get hacked you'll be blamed. Just stay cool and prepare yourself for better times (like next week-end when we'll have a beer in Ottawa  )

I am impressed, really.

Hello guys,
Lately I had the chance to read “Beautiful Security” and I found it an amazing book. Every chapter covers a different subject and it is written by a SME in his field.

Just to give you an idea:
Ch 7. The Evolution of PGP’s Web of Trust is written by the creator of the PGP – Phil Zimmermann
Ch 13. Beautiful Log Handling is written by Dr. Anton Chuvakin
CH 4. The economy of security breaches (one of my favourites) is written by Dr. Chenxi Wang from Forrester
and many more.

This is not an extremely technical book, and the authors explain why security is so beautiful, everyone speaking about a different field.

There some stories in the book, they are speaking about current problems and concepts, and there are many advices that everyone can benefit from. I took many notes from this book on how to improve some processes on my company. Also, there are some concepts  I would like to implement in my company in order to improve security.

I recommend this book to everyone that does security, and some of the chapters must be read by the non-security people in that specific department (for example the developers should read Ch10 Security by design, the managers ch 1,3,4 and so on).

Hope you’ll enjoy it as much as I did.

Congrats!

@H1t M0nk3y
It is outdated. For the current standards the couse is like a soldier which have only a revolver. If you send him to fight in an university campus (not MIT) it might be successful, but if you send him to war... no big chances.

 

Interesting

Thank you for the videos!

I downloaded some of them a couple of weeks ago and started to study.

Very much appreciate your effort!