- This topic has 11 replies, 9 voices, and was last updated 10 years, 10 months ago by
Dengar13.
-
AuthorPosts
-
-
December 29, 2009 at 9:17 am #4520
T_Bone
ParticipantHi Guys
Is there anyone out there whom has taken both the GPEN and GWAPT certs? If so which was more difficult please?
Cheers
-
March 6, 2010 at 4:45 am #28288
Jhaddix
ParticipantHey T_Bone,
I’ve taken both classes, passed the GPEN, going on for the GWAPT in the next few weeks.
As far as the content goes Sec542 was harder for me. I never did web development in the past so some of the attacks were new things, for instance attacking/enumerating SOAP web services. i dont see it as much more difficult though.
Ask apollo, he’s passed both i think… =)
-
March 6, 2010 at 7:36 am #28289
apollo
ParticipantThe GWAPT test was harder than GPEN test. Part of it is that web pen testing is about nuance where many of the things on GPEN are more straight forward. An app is either vulnerable or it’s not, where an XSS or SQL injection can look a number of ways. We covered Nessus in GPEN, there are 4 or 5 scanners used for GWAPT. It’s the little things that will get you. I thought the GWAPT class was harder than the GPEN class too. I think that part of that is due to the fact that Ed Skoudis is a badass when it comes to course devel. His courses have a great flow to them, and Ed is an excellent educator. Kevin’s class, the web app pen testing class, is very good but the information doesn’t have as much of a flow to it. It is still an excellent class, but the material that has to be covered can’t really have as much of a natural flow to it.
This is more forward than I normally am, but take 560 (GPEN) before you take 542 (GWAPT) I think, the GPEN will get you the business knowledge and the GWAPT covers more skills type things. Once you’re thinking like a pen tester business and skills wise, the GWAPT will go better. GWAPT was a kick ass class though, and you will learn great stuff. I haven’t seen any course material out there that covers what GWAPT covers as well as it covers it.
-
March 6, 2010 at 10:59 pm #28290
caissyd
ParticipantOther than GWAPT, is there any other courses/certs related to web app pentesting?
-
March 7, 2010 at 1:02 am #28291
KrisTeason
Participant@ h1t m0nk3y – Here’s an affordable course that I know about related to Web App Testing.
LSO – So You Want To Be A Web App Pentester
Also check out the 3DCPT From Heorot.net – it looks to be focused on web attacks.
Cheers
-
March 7, 2010 at 2:13 am #28292
BigPrince
Participant542 was harder than 560. I agree with the above that if you can, do both with 560 first. Great classes.
-
March 7, 2010 at 3:07 am #28293
Dark_Knight
ParticipantFor the guys who say the GWAPT was harder than the GPEN, what is your background? Is it in development/programming or network admin stuff?
-
March 7, 2010 at 12:36 pm #28294
caissyd
ParticipantThanks xXxKrisxXx, I appreciate it!
GPEN and GWAPT are a bit pricy for me at the moment, these are indeed very good alternatives!
-
March 7, 2010 at 3:31 pm #28295
apollo
Participant@Dark_Knight wrote:
For the guys who say the GWAPT was harder than the GPEN, what is your background? Is it in development/programming or network admin stuff?
Both, I program in c/c++/php/perl/python/ruby/lua predominantly but am not a true developer. The reason the web stuff is harder course wise is that there is much more subtlety to what you are doing. Do you need a ‘ or a ” when you are doing a specific injection. What happens when the script upper cases every command you type for command injection (unix doesn’t like that much). Those sort of things you don’t have to deal with as much in the network pen testing classes.
That said, I should say if you have no programming background at all, you may find 542 even more challenging. There are days in there to teach basic scripting, but you will be slower than your counterparts who have some very basic experience in programing/scripting. That said, you don’t have to have programming knowledge to take the course, you will do ok without it, but you will have to work harder.
-
March 7, 2010 at 8:42 pm #28296
Dark_Knight
Participant@apollo wrote:
@Dark_Knight wrote:
For the guys who say the GWAPT was harder than the GPEN, what is your background? Is it in development/programming or network admin stuff?
Both, I program in c/c++/php/perl/python/ruby/lua predominantly but am not a true developer. The reason the web stuff is harder course wise is that there is much more subtlety to what you are doing. Do you need a ‘ or a ” when you are doing a specific injection. What happens when the script upper cases every command you type for command injection (unix doesn’t like that much). Those sort of things you don’t have to deal with as much in the network pen testing classes.
That said, I should say if you have no programming background at all, you may find 542 even more challenging. There are days in there to teach basic scripting, but you will be slower than your counterparts who have some very basic experience in programing/scripting. That said, you don’t have to have programming knowledge to take the course, you will do ok without it, but you will have to work harder.
I follow you. I come from a programming background and am currently doing the GWAPT via SansOndemand. Great stuff so far. Kevin Johnson is hilarious 🙂
-
March 10, 2010 at 1:49 pm #28297
Salmonella
ParticipantIt depends on your background. As a developer I found the GPEN to be harder. Network folks will probably find the GWAPT harder.
-
March 11, 2010 at 1:45 am #28298
Dengar13
ParticipantI am attending the SANS Sec542 (GWAPT) class right now and think that this is pretty intense. I agree with Salmonella, I am a networking guy and find this to be pretty advanced.
-
-
AuthorPosts
- You must be logged in to reply to this topic.