Security Basics mailing list archives
RE: Vulnerability assessment certification
From: "Simmons, James" <jsimmons () eds com>
Date: Wed, 9 May 2007 18:01:50 -0500
Ok first I am not going to call you neo, eon, or any other sort of iteration of "the one". There have been a few threads about CEH, both here and in a few other mailing lists I belong to, and the recommendations are usually not favorable. As someone else put it best (and I am paraphrasing since I cannot find the thread at this time) "There is really nothing wrong if you don't mind a cert that qualifies you as 1337." Of course this is also from a company that has a LPT (Licensed Penetration Tester), which raises to mind "Who are they to be licensing anyone?" but I withdrawal, it is up to you to decide. Personally I would be very skeptical of any certification that is tagged as a vulnerability assessment professional, as Vulnerability assessments are suppose to be long drawn out process touching on various domains of security to ensure a complete analysis of a given system. Depending on what you are looking at doing of course. You could just be an application vulnerability assessment professional (basic fuzzing, secure processing review, etc.), or an enterprise wide vulnerability assessment professional (networks, applications, policies, personal, comm systems). A lot really depends on your skill level, what you want your skill level to be, and how dedicated you are to this discipline. As for certifications, if you insist on them, I wouldn't get any one cert. I would cover the board in relation to what you are going to be focusing on. If you are working on applications, cover OS certs, any sort of programming you can find, not to mention basic security+, and general knowledge SANS certs. If you look through certification books and it just lists off tools to use, run away. If anyone goes into tools, without first going into the theory behind the exploit, demand your money back. Being a good pen tester requires actual programming skill (you will need to test for those brand new exploits that hasn't had a Nessus Audit created for it yet) not to mention be able to write a few of your own. If you can verify your tools that you download, then I wouldn't sell yourself as a vulnerability assessment professional yet. Hook up with someone else to learn some of the ropes if you can. Hope this helps. Regards, Simmons -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of neo anderson Sent: Wednesday, May 09, 2007 11:26 AM To: security-basics () securityfocus com Subject: Vulnerability assessment certification Hi List, I was wondering that is there any globally recognized certification aimed towards tagging you as a "vulnerability assessment professional". If it is so, I want to know how much advisible it is to go for. What are the extent of "Career Advancement" for someone with Security+/CEH like entry level certification. Thanking you in advance.
Current thread:
- Vulnerability assessment certification neo anderson (May 09)
- RE: Vulnerability assessment certification Simmons, James (May 09)
- Re: Vulnerability assessment certification Ramki (May 10)
- Message not available
- Re: Vulnerability assessment certification Ramki (May 30)
- Message not available