.

CSTA - Certified Security Testing Associate

<<

lewiscornwell

Newbie
Newbie

Posts: 2

Joined: Thu Feb 25, 2010 11:39 am

Post Thu Feb 25, 2010 11:46 am

CSTA - Certified Security Testing Associate

The CSTA certificate is awarded to candidates who attend 7Safe's CSTA Ethical Hacking: Hands-On training course and pass the CSTA examination.

http://7safe.com/ethical_hacking_course-technical_hands-on.htm
The 1 hour CSTA examination is taken and marked at the conclusion of the CSTA Ethical Hacking: Hands-On course. The pass mark is 50%, with marks between 65 and 79% attracting a merit grade and marks 80%+ achieving distinction.

The CSTA certification is a prerequisite for the CSTA+ certification and the Certified Security Testing Professional (CSTP) certification, the latter of which is gained following successful completion of the CSTP Ethical Hacking: Hands-On 2 training course and the CSTP examination included at the end of the course.

Prerequisites
An understanding of TCP/IP and a background in Microsoft Windows and/or UNIX is desirable.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Feb 26, 2010 6:43 am

Re: CSTA - Certified Security Testing Associate

Never heard of this. What's the benefit compared to other certifications?

And 50%? Really? I would want someone that only half knows what they're doing testing my network? No thanks.
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Fri Feb 26, 2010 7:59 am

Re: CSTA - Certified Security Testing Associate

I agree 100% with BillV.  Either the bar is set really low, or the exam is uber hard.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Fri Feb 26, 2010 8:38 am

Re: CSTA - Certified Security Testing Associate

BillV wrote:Never heard of this. What's the benefit compared to other certifications?


Other certifications do not require the excellent 3day training provided by.. uhh.. what was it again?  7 Safe?

I've never heard of them, but then again they are based out of the UK.  They seem legit enough.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Fri Feb 26, 2010 10:00 am

Re: CSTA - Certified Security Testing Associate

I think that in the interest of full disclosure, Lewis should have included (though it was easy enough to guess) that he is an employee of 7Safe.
Reluctant CISSP, Certified ASS
<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Fri Feb 26, 2010 10:50 am

Re: CSTA - Certified Security Testing Associate

oneeyedcarmen wrote:I think that in the interest of full disclosure, Lewis should have included (though it was easy enough to guess) that he is an employee of 7Safe.


Good work. :)  That was my assumption since he is a one post wonder.  His guerrilla marketing kung-fu is better than ours.

Maybe Don should approach him to be a paid sponsor of EH-Net (http://www.ethicalhacker.net/content/view/69/8/).


Or we can just report this post for violating the user agreement:

You agree, through your use of this forum, that you will not post any material which is false, defamatory, inaccurate, abusive, vulgar, hateful, harassing, obscene, profane, sexually oriented, threatening, invasive of a person's privacy, adult material, or otherwise in violation of any International or United States Federal law. You also agree not to post any copyrighted material unless you own the copyright or you have written consent from the owner of the copyrighted material. Spam, flooding, advertisements, chain letters, pyramid schemes, and solicitations are also forbidden on this forum.
Last edited by unsupported on Fri Feb 26, 2010 10:55 am, edited 1 time in total.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

lewiscornwell

Newbie
Newbie

Posts: 2

Joined: Thu Feb 25, 2010 11:39 am

Post Fri Feb 26, 2010 11:59 am

Re: CSTA - Certified Security Testing Associate

Hello,

We do only currently run courses in the UK. I did notice than no one had mentioned 7Safe on here before, so that is the reason for my post.

I have emailed Don regarding advertising opportunities.

I will talk to the trainee and ask about the examination.

Thank you,
Lewis
<<

jenskirschner

Newbie
Newbie

Posts: 2

Joined: Fri Feb 26, 2010 11:55 am

Post Fri Feb 26, 2010 2:57 pm

Re: CSTA - Certified Security Testing Associate

In the interest of full disclosure, I would obviously state that I, too, work for 7Safe. Though Lewis did not exactly pretend to be a third party, either, I would think. And as he himself already said, we are actually interested in advertising on this site, so that shall get sorted out. Quoting the rather long litany of things not permitted on this forum after exactly *one* post regarding a course - in a forum section that invites discussion of certification programs not mentioned elsewhere, no less! - does seem a bit harsh to me, but I leave that to your judgement, of course. As with the "guerrilla marketing" comment - guerrilla marketing would have seen us creating usernames not actually related to our real ones (to make the lookup in LinkedIn more difficult) and then posting comments along the lines of "I've just heard of this brilliant new course, you need to see this".  :D

A couple of other things worth commenting on were brought up as well, and so I shall.

I shall start with the pass mark of 50%. That was agreed a number of years ago, first with the University of Glamorgan (who until recently had five of our training courses as modules on their Postgraduate Certificate in IT Security), later with the University of Bedfordshire who are now offering an MSc in Computer Security and Forensics which uses seven of our training courses (three hacking related, one of which is the one this thread is all about, three computer forensics related, one about ISO27001) as modules. In each case, passing the exam is the beginning, not the end of the process - as that is required in order to then be admitted to the module's assignment. Both of these universities are real-world, brick-and-mortar institutions, not paper mills. Easy enough to check out, if you care.

As to your other puzzlement, the unknown entity 7Safe - well, Lewis answered most of that by stating that we offer our training only in the UK - we have a few partners in other European countries, but I doubt this would make us known any more to you. The other reason you won't know us yet, is: We are a pen testing and computer forensics company first, a training company second and a marketing outfit least of all. There are certifications out there where the exact opposite is the case - and thus you will know them. As to their actual value, well, recognition is often confused with reputation.

If you would like to judge some certifications you may have received yourself in the past - consider how much of the material was original content. How much of it appeared to be straight copy/paste from publicly available sources. No editing, just collecting to amass fictitious weight. Ours is ours. Who are we? Well, we are on a (generally rather short) list of companies VISA accepts as credit card breach investigators.

http://www.visaeurope.com/documents/ais ... t_list.pdf

We pen test banks, web hosting companies and government organisations. We are in the process of becoming the UK training provider for Core Impact (first training to run in April), we are in the process of becoming an authorised training provider for X-Ways Forensics (I used to work for X-Ways - easily checked thanks to Google - and will be delivering their official training several times this year). We also employ people like Jordan Hrycaj (nessus) or Sumit "Sid" Siddarth (www.notsosecure.com), who quite recently published a widely quoted paper on extracting data from Oracle databases via WebApps:

http://7safe.com/resources/paper_oracle ... g_web.html

We are also a training provider. Training that receives excellent feedback from our customers. Training we send our own new staff through. As it happens, we routinely have staff from our competitors (in pen testing or computer forensics) on our courses.

Feel free to mock training courses based on a single snippet of information or judge the value of the training provided based on the people behind it. Start googling some of the other, rather more... famous certifications out there and once you've found a few pages beyond the standard marketing blurb, start thinking. Look at some of the training materials you undoubtedly have from certifications you've attended in the past and see them with fresh eyes.

And, lastly, while this might not matter to those who are mainly attracted by collecting acronyms, it does to me: Our training is not about the certificate. It is about the training. If you prefer it the other way around, our courses are not for you.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 26, 2010 3:19 pm

Re: CSTA - Certified Security Testing Associate

Thanks, jenskirschner, for the clarification.  Nice to know who you are, and if I'm ever in the UK, doing some work, I'll be sure to followup more with you, so I can get a better feel for your company.

That said, and this is still a concern to me, with regards to your training offerings (I'm not slamming or belittling you, just stating what others are feeling, as well, I think, but I'll be certain to let them speak for themselves...) is the 50% passing score.  Combine that with the prerequisite your colleague listed, "An understanding of TCP/IP and a background in Microsoft Windows and/or UNIX is desirable.", and I'd honestly be a bit more concerned with the folks who've 'passed with 50%' testing my environment.  Something about an 'understanding of TCPIP' and a background in one OS or another 'preferred,' coupled with the ability to only work up to a level of 50% after a bootcamp or hands-on course, just leaves me with less than a 'warm fuzzy' feeling about having that person come into my environment...  I'm sorry for the lack of a vote of confidence, and maybe if I saw your training material and style, and saw how your test was designed and covered the material from your couses, the magnitude of it might make me feel more secure in trusting those graduates of the course...  Dunno...   :-[

That said, though, what I stated above does NOT speak for your own teams, who do the pentesting work for your company, and I'd hope they're a little more capable than the 50% mark, based on the fact that VISA Europe deals with you.  So let me wish you the best, with regards to your company's continued success, and maybe, as future folks come through your training programs, it will speak more for your courses and training offerings, as well.

Thanks for sharing.

EDIT:  Note, I'm NOT belittling the folks who pass your courses and certs with a higher mark, so please don't see me as slamming you.  I'm simply stating that I'd still be uncomfortable, regardless of background of your programs and those who support them, in bringing someone aboard, knowing they were certified for a 50% score...  Again, best of luck to you and your company, and again, if I ever AM in the UK, I will research you more.  Regards.
Last edited by hayabusa on Fri Feb 26, 2010 3:33 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

oneeyedcarmen

User avatar

Full Member
Full Member

Posts: 233

Joined: Thu Jul 05, 2007 2:13 pm

Location: Baltimore, MD USA

Post Fri Feb 26, 2010 3:23 pm

Re: CSTA - Certified Security Testing Associate

OK, now I feel like a bit of a jerk for my tiny little comment. I was not attacking Lewis or your company. I would suggest in the future, however, if posting to a forum such as this, to just be honest and up front about who you are. Please do not assume this to mean that I'm saying Lewis was DIShonest.

Please accept my apologies for any offense taken. I certainly didn't mean any, nor do I wish to unintentionally disuade an advertiser from working with Don. This is a pretty great, friendly community on the whole. Something I'm sure you'll find should you join the many other discussions.
Reluctant CISSP, Certified ASS
<<

jenskirschner

Newbie
Newbie

Posts: 2

Joined: Fri Feb 26, 2010 11:55 am

Post Fri Feb 26, 2010 3:35 pm

Re: CSTA - Certified Security Testing Associate

With regards to your concerns, I agree. If you prefer, insist on a CSTA or CSTP (or whatever other course of ours) certificate "with Distinction". If it says that on the certificate, the mark must have surpassed 80%. I personally tsk-ed at one of my colleagues today who *only* achieved a 90%. ;-)

But most people employ a double standard here: Would you allow someone to receive an MSc, a bachelor's degree or anything of the kind with just barely more than 50% of the total score? Well, actually, that's what the lower marks do. Where the actual percentage falls, varies with institutions and countries, but there are the *good* marks and there are simply *pass* marks. Ours are like that as well.

Some certifications you either get or don't get. Ours grade you. If you want the bar raised, require a Merit. Or require a distinction. And then you've raised the bar. Not reaching either, yet scraping a pass does not invalidate the exam. It simply gives you a low mark.

I scored a 98% on my CEH exam when I did it in 2008. All it took me to do so was use the exam trainer from Pass4Sure for about 2 hours. That was all. I recognised the questions on sight, picked the right answer without even reading and was done in 30 minutes. Does that make me a good hacker or a professional exam taker?

You could undoubtedly do exactly the same thing with our exam. It, too, asks you questions and you pass if you know the answers. How or why you know them, the exam won't ask you.

Except, and here I am repeating myself, I don't think this is what this is about. We want to *train* people, not get them to pass exams. You could forgo the exam at the end for all I care. When I spend my days at the front of a classroom, it isn't pass marks I am hoping for. It is engaging conversation, people figuring out the manifold exercises we set them and signs of understanding in the delegates' faces.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Feb 26, 2010 4:22 pm

Re: CSTA - Certified Security Testing Associate

Great response, and thanks for your comments!
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sat Feb 27, 2010 1:43 pm

Re: CSTA - Certified Security Testing Associate

Hey jenskirschner,

Thanks for helping clarify some of the issues. It was never what you do for 7Safe, so I hope you don't mind me telling everyone that you're in charge of all training. Are you also a contributor to the course development?

I totally understand the thought process behind the 'grading' of the exam, especially when one considers the use of the course in conjunction with a university program. But since you also offer the course outside of that venue, it then becomes a completely different issue. Most who do hiring, whether that be the HR person, IT Manager, Owner, etc. are used to asking about a GPA when it comes to a university education. On the certification side, which is generally used after or in place of university programs, it is more of a professional benchmark. Thus the term certification, where you 'certify' that someone has a baseline of knowledge. Most in charge of hiring don't think of 'grades' when it comes to a certification. So the level at which you passed is not even asked of an applicant.

So I think this may end up being an issue of educating those that do the hiring about what it is and the different levels of achievement. That is a daunting task considering even the top players in the security training & cert game are barely known to those outside of us.

And along the lines of your thought process on the training is the #1 priority and not the exam, doesn't that make it an even stronger argument to lift the passing score? Those who don't care about the cert don't really care what the passing score is, and those that mostly care only about passing the exam should be required to get a higher score. Otherwise, it either becomes a paper cert that is easy to attain (again keep in mind those that hire really won't pay attention to whether it was with distinction or not) or, since some employers who pay for their employees want to see that they actually paid attention in class thus want to see an exam to prove that they got at least some ROI, won't really get that proof with a 50% score.

Just my $.02.

All this being said, maybe it's time for an interview on you, the company, the course, thoughts on the passing score, levels of distinction, etc. I'm sure this would be of interest to our European readers.

I'll continue emailing you offline.

Thanks again for joining us,
Don
CISSP, MCSE, CSTA, Security+ SME
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Apr 04, 2010 11:01 am

Re: CSTA - Certified Security Testing Associate

jenskirschner wrote:I scored a 98% on my CEH exam when I did it in 2008. All it took me to do so was use the exam trainer from Pass4Sure for about 2 hours. That was all. I recognised the questions on sight, picked the right answer without even reading and was done in 30 minutes. Does that make me a good hacker or a professional exam taker?


You might want to double-check where you're getting your resources from in the future. Those guys sell brain dumps, which are actual questions from the exam (or at least, at the time they were stolen). They've been sued by Microsoft for this very reason. Additionally, the fact that you admitted that you recognized the answers and scored 98% without even reading the questions speaks volumes. I would wager most people would do well on your exams if you let them review it for hours in advance as well. I apologize for resurrecting an old thread, but this really irritated me.
The day you stop learning is the day you start becoming obsolete.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Mon Apr 05, 2010 8:17 am

Re: CSTA - Certified Security Testing Associate

dynamik wrote:Additionally, the fact that you admitted that you recognized the answers and scored 98% without even reading the questions speaks volumes. I would wager most people would do well on your exams if you let them review it for hours in advance as well. I apologize for resurrecting an old thread, but this really irritated me.


I agree.

I caught that when he replied but didn't care to respond. I think his point is that if he can do it many others can, and have, as well. This is, unfortunately, quite obvious if you hang around the EC-Council portal long enough to see the type of people showing up to claim themselves as CEH certified. It's too bad, because it lowers the respect received by those who actually studied for and passed the test bringing down the overall value of the certification.
Next

Return to General Certification

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software