.

CSWAE Pentest Methodology

<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Jan 06, 2012 4:12 pm

CSWAE Pentest Methodology

So the CSWAE content isn't great, very basic but I thought it was somewhat acceptable and wholly representative of most of the other outdated and regurgitated content that so many other courses are guilty of. Until I got to the methodology for "ethical hacking" and saw they mentioned covering tracks and maintaining access. Real attackers do this and it's valuable for incident handlers to understand this, but when have any of you done this on real world pentests unless it was explicitly called out as a requirement by the customer? It annoyed me and I had to make a post about it. There have been other irritations as well but something like a methodology forms the underlying structure for everything you do on a test. This is really important stuff folks. If people are thinking this is what you are supposed to do on a test, then it's no wonder that my Pentest Quality Management side project has found so many glaring examples of stupidity. Are there other curriculums that bungle methodology like this?
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Jan 06, 2012 4:29 pm

Re: CSWAE Pentest Methodology

Although it's rarely called to be used in pentests I've done, it has, on occasion.  That said, I think they put a lot of emphasis on it, at least, in the CSWAE, as well as the CEH class of old.  (v7 didn't really touch on it much, IMHO, but my original CEH did.)  Perhaps the older CEH materials are where they gleaned the necessity to hammer it in...

While yes, it is sometimes necessary to maintain access / cover tracks, etc, and you do have to understand it to be able to 'warn about it', rarely has it been something I've had to actually DO, in a pentest.  (However, if you ever participated in the Cyber Challenge SANS did, etc, if you didn't do all the above, you wouldn't score well, as they regularly sniped participants, so you needed a fast and reliable way back in.)

BTW, from what I've had time to look at in CSWAE, I'm in agreement about the rest of the material, too.  Granted, it's aimed more for developers, but ungh...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Jan 06, 2012 4:55 pm

Re: CSWAE Pentest Methodology

The section on code review, had no code.  ???

And so many places it's painfully obvious the trainer has no clue what he's talking about. Also on the methodology section. "The OSSTMM is free, which is good (snip) ... (random chatter).. has some hints and some useful guidance as well."

Really? Has he even read the OSSTMM? It's an awesome document but what he's saying does not even begin to describe what you use OSSTMM for and that's all he has to say about it? There's so many other places like this where I have to question whether the guy has even done a pentest before. I'm into the pentest module now and I have to say a lot of this content has really entered the realm of "bad". I had tried to give the course the benefit of the doubt until now, in the hopes that a developer focused course might actually have useful technical content for a coding idiot like me but I have now lost all faith it will ever occur. I am debating just stopping here, pulling the trigger on the exam and getting back to reading The Tangled Web and WAHHv2. Much of this content is highly conceptual in nature with almost no practical examples. The 2 books I mentioned are proving to be a far far greater investment than a course like this could ever hope to be. I'm not even sure that a real review is worthwhile.

I'll sum CSWAE up with: "Check it out if it's free and you are bored, but don't spend any money on it" I'm sure glad Mile2 offered the course for free to govt employees last Sept because I'd be mad if I spent training dollars on it.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Jan 06, 2012 5:02 pm

Re: CSWAE Pentest Methodology

Yeah, I've been largely 'unimpressed' thus far.  Thanks for letting me know it won't get better.  :P

I think it's geared as info 'about' what a pentester will do, to aid developers in understanding.  But as you noted (and from what I've seen thus far,) it doesn't even do THAT very well...

<sigh>  Glad I won this, too, and didn't have to spend on it (wouldn't have bought it, based on the description, but since it was 'different' and free...)  Almost thinking I should've done the CPTS or something (but would've preferred at LEAST CPTE, which wasn't one of our prize options, for the $$)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Jan 06, 2012 5:30 pm

Re: CSWAE Pentest Methodology

Note:  They said something about updating it soon...  Maybe it'll get better?  (Doubtful, but since I have access through said update time period...)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Jan 06, 2012 6:38 pm

Re: CSWAE Pentest Methodology

I thought this was something new that I hadn't heard of but once I read through the first couple posts I googled the 'CSWAE' and realized it was the Mile2 thing.

I honestly can't say I'm that surprised. I've yet to really hear anything good about Mile2.

They present themselves as a well established company but I wonder how many people actually hold their certifications.
<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Sat Jan 07, 2012 2:00 pm

Re: CSWAE Pentest Methodology

On that I will disagree with you Bill, I took the CPTE class when they offered it free to veterans, and I will sat the material trumped the CEH. Then again, I believe its one of their flagship products, so it be the best they have...

but if you would like more reviews, I think a little was mentioned in the posts around november when they had that going on.
sectestanalysis.blogspot.com/‎
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jan 07, 2012 2:19 pm

Re: CSWAE Pentest Methodology

I think the CPTE is probably the exception to the rule SephStorm.  Wishing it'd been on the list of courses we could've chosen for the winners of the giveaway.  Unfortunately, it wasn't.  I can only speak for CSWAE, and to that end, I'm thoroughly unimpressed, so far.

(Note: and I think CPTS wouldn't have been worth my time, after OSCP or eCPPT, so at a minimum, would've rather had CPTE, as an option.  And I understand the cost difference, and the prize limitations, with as many as they awarded.  However, after giving it free for veterans, and all, I think, maybe, it wouldn't have hurt to raise the bar for the 8 winners, etc.)

Edit:  not that I'm unappreciative.  Free is always nice!  Just that the selection wasn't what I'd have hoped for...
Last edited by hayabusa on Sat Jan 07, 2012 2:21 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Sun Jan 08, 2012 4:34 pm

Re: CSWAE Pentest Methodology

The only problem with your comparison is that the CPTE should be beyond what the CEH is. The CPTS is their intro/entry hacking certification that should be compared to CEH. The CPTE, now the consultant something or other, is probably better aligned with ECSA/LPT (or GPEN, also on that level).

But it is good to hear something positive about them.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Fri Jan 13, 2012 4:57 pm

Re: CSWAE Pentest Methodology

So I got so fed up with the CSWAE course I stopped at about 65% of the way through the course and just took the exam. 69 questions, 1.5 hours to complete. I took 22 minutes and got an 90%. Yay me. I guess.

I know all 7 questions I missed were due to really poorly written questions because I knew all the content inside and out. Was super easy but I got questions that were obviously not written by a native English speaker and I doubt there was any significant QA done. 3 questions I saw twice in the exam. I got one question that asked the question, then the choices were answer 1, duplicate of answer 1, duplicate of answer 1 + another sentence, and none of the above. Seriously? Many of the questions made sense but none of the answers were even in properly formatted English to even comprehend what they were saying. That exam needs to be completely redone.

P.S. Exam report shows a pass rate of 51% for what it's worth. Now whether that's due to not effectively delivering content or the horrendous questions, I have no clue.
Last edited by tturner on Fri Jan 13, 2012 4:59 pm, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to General Certification

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software