Hi EH,

Just a quick question about any certifications it would be worth while taking. I'm currently a student studying Computer Security & Ethical Hacking in the UK, I'm on placement as a Software Developer so I am learning Programming principles. I will hopefully graduate with a 1st degree, my question is, is it worth taking a few certificates along with my degree? I know there are certs like CISSP, CREST <-- supposed to be incredibly hard and CEH but which is the best bang for your buck?

I'd quite like to go towards the web app security side || maybe PCI DSS? I still have quite a while to think about this, but any advice would be great.

Edit: If you know any certs which are worth while taking for web app's or that are quite well rounded, that would be appreciated

Thanks,

Questionable

Hi Questionable and welcome to the forum!

For this one, I suggest you first take a more broad and entry-level certification before aiming at web applications. And don't get me wrong, "entry-level certification" doesn't mean easy, but they tend to cover lots of different areas used in other more specialized certs/fiels.

For example, web app certifications will focus more on SQL injection, XXS and the likes than on TCP/IP network protocole and post-exploitation skills. I believe that knowing these things before going to web app cert world would only help you in the long run.

Also, what is your long term goal in information security? I am asking because forensic investigation is quite different than being a manager who writes policies... Let us know and we will guide you!

And like 3xban said, experience and contacts are very important too...

Good luck!

Thanks for the replies guys! eCPPT looks great, I'm currently reading The Web Application Hackers Handbook, it's pretty insightful and rounding my knowledge, I have been networking a lot where I live at OWASP chapter meetings and other conferences, so I hopefully will have my foot in the door before I finish University, after University, my first job would be towards the pen testing field.

The only issue I'm looking at, it doesn't offer a lot of information on individual purchases, more of a company based thing, does anyone know the price for the eCPPT and if they do any sort of student discount? probably not, but it's always worth a shot.

Any sort of reading material you could suggest for the eCPPT would be great, but I know it comes with a bucket load of videos and tutorials when you purchase it.

I'm still narrowing down my choices but web applications seems to be the thing which interests me the most, but even if I drift off into another part of the sector, I don't think it'll be a waste of time.

Thanks again,

Questionable.

I sent Armando a pm, waiting on a reply

I find that certs are the only way to force me to learn usefull but boring things. Without a goal/carrot in front of my, I either get lazy or study only what I like.

There have been many discussions on certs vs experience on this site and I think most people agree that experience is more important, while *some* certs open doors (get you through HR screening) and *other* certs/training programs make you a better pentester.

For example, CISSP vs OSCP are pretty much opposite to each others...