While I sit around and wait for the next week to go by, I figured I'd ramble on for a moment about the RWSP (Real World Security Professional) certification I will be taking next week. For starters, sorry it's been a busy September and October with work, volunteer work (CSFI.us), life, etc., I have not given up on the forums!

Anyhow, the RWSP caught my eye and I decided to head down to Gaithersburg MD to sit in for this exam. Unlike the typical "read this book", "memorize this concept" style of exams which have flooded the market, the RWSP seems to me to be a "practice what you preach!", "you better know your stuff!" kind of exam. When I first read about the RSWP exam, I was contemplating the ISRM certification (NSA IAM/IEM) for "Red Teaming" validation and the information caught my eye.

Now to be honest here, when I first thought of the name of the certification, I was puzzled and wondered: "Who the hell, what kind of ballsy statement is that!" and I immediately tracked down the exam content authors to question them about this certification. None other than Russ Rogers took the time to eloquently explain it to me:

The RWSP is based on an individual's ability to handle and react to real world security situations.  We approach the security topic from both offensive and defensive perspectives, and no single student is required to be an expert in both sides.  Over the years, we've grown frustrated with the growing number of "content based" certifications, where you read a book or take a course, then take the exam. We felt that the pool of certified professionals was being diluted by individuals that really don't have the experience and knowledge to do the work.  What we wanted to do with the RWSP is bring back some semblance of the peer review process (think of it like a blacksmith guild mentality).  If a certification is peer reviewed, the quality of the members is better maintained, thus the certification also maintains it's value to the industry.

For starters, if you don't know who Russ Rogers or Greg Miles is, then you probably haven't been in the industry that long. The bios on them would fill this page up, so I'll let you see for yourself http://www.blackhat.com/html/bh-ad-10/training/bh-ad-10-training_PEAK-RealWorldSec.html

Anyhow, I decided that this would be the "make me or break me" course in the sense that, no one is walking out of that classroom by relying on a book. The course is two days long and I'm getting antsy wanting to get it on already. The concept so far seems more in tune with reality as opposed to it being focused on tenteen hundred tools and exploits, eleventeen hundred methodologies, etc.. Simple, attack and defend My kind of exam.

I will follow up after the exam (pass or fail) on how things went, etc. In the interim, I'm still around!

Sil, good luck to you on the exam.   From reading your post, it sounds like the exam is a win-win situation.  At the very least you will learn where you stand.  I it sounds like the exam will be real-world scenarios, which is always great.   

[quote author=H1t M0nk3y link=topic=6180.msg32987#msg32987 What is wrong with that? To me, it is like everything else. When you start in a new field, I need someone to hold my hand and show me the way. Once I become an expert, then I look for different things like this course.

For example, I have been a Java System Architect for 11 years now. So to me, all architecture-related course are now a waste of time. I learn by working with excellent people, by reading on the internet or in books and by attending conferences.

But, I started practicing Jiu-Jitsu 3 months ago and I can tell you that without a teacher in front of a class showing me every details on a particular throw, I couldn't go very far.

That being said, some courses/certs really are crap. Let's not put them all in the same basket...

So sil, do you agree with me on this? Almost all your posts refer to this topic... 

[/quote]

I believe the purpose of the exam is to further validate someone's established skills (pros versus joes). This doesn't seem to be an exam where someone is going to breeze through via way of reading. There is a story behind the actual 2 day course which goes to the tune of:

Its the year 2020 (or so) and government contractors have gone rogue. You have to defend against them... Then you have to be the rogue contractor.

The gentlemen behind the exam are the creators of the NSA IAM and IEM exam and my interpretation of the differences in exams are/is: One is technical the other isn't.

I believe the ultimate goal of the exam is to "rubber stamp" someones experience in various arenas of security (offense and defense). I say this because this is how the wording/explanation comes across. Because everyone is split into teams, there will be different roles for everyone and its a collaborative effort. There is no "de-facto" expert. Followed by dual sided approach (off/defense) is a peer review which means, technically there will be no grandfathering here. If a peer says I don't understand/comprehend what I'm doing/did. It's sayanora.

Granted, this is my broad interpretation of it, I won't know until I either pass or fail.

Did you already get back your results, sil?

Knew you'd pass. Congrats!

Congrats! Any chance we could read the paper?

Great!

Told you... Might be down your neck of the woods soon... Will shoot you an email or something if I head down. We're having BSides in New England this weekend