RE: Learning vs. Play Time

["Robert E. Lee" <robert () dyadsecurity com>]

Bartholomew,

For me, the value of a class is not in the test or even the
certification at the end. The lasting value is in the knowledge and
skill set that you refine and take with you back to your job.  I also
have made lasting relationships from the classmates, students, and
instructors that I've met over the years.  All of these mean a lot more
to me than the "e-i-e-i-o" at the end of my name.

I gravitated towards the OPST/OPSA classes because they fill a role I
felt was missing in the security class space.  Many non-vendor specific
security classes have a very narrow tools based focus.  While I agree
that knowing how to use your tools in a test is important, I feel
knowing why and when to use them is far more important.  Knowing the
politics involved in testing, going over internationally accepted
testing practices, and reviewing regional and national legal regulations
are just as much part of the job.  These things are not merely
important, but are required to be successful in your role as a security
tester.  In addition to the intensely technical aspects of the testing
process, this is what the OPST represents; the "professional" side of
security testing.

The CEH class represents the other kind of class.  One that is "flashy",
"fun", "exciting", but not overly useful to the serious professional.
While I have a lot of respect for Clément (one of the instructors for
Intense School), I have very little respect for any organization that
markets "hacker" classes.  This includes the so-called ethical hacking,
applied hacking, exposed hacking, grandmother hacking, squirrel hacking,
super-duper 3y3 4m 31337 hacking, or any other fancy way of saying
"Learn how to think and act like the bad guys".

While choosing where to spend your time and money, consider the
community you are aligning with.  If you look at ISACA, SANS, ISC2,
ISECOM, etc.. they all have a true dedication to security and the
betterment of the global information security community.  Contrast the
value of being affiliated (via education/certification) with any of
those organizations over a piece of paper and a cd of toys.

Sincerely,

Robert

Robert E. Lee
CTO of Dyad Security, Inc.
http://www.dyadsecurity.com

-----Original Message-----
From: Bartholomew, Brian J [mailto:BartholomewBJ () state gov]
Sent: Friday, February 06, 2004 8:13 AM
To: 'pen-test () securityfocus com'
Subject: RE: OPST vs CEH

I have taken the CEH but not the OPST.  The CEH is kinda simplistic, and
pretty easy to pass.  I have not taken the OPST, however, I have heard
that
it is much more in depth and more difficult to pass.

To sum it up...If you are looking for letters after your name and a good
base to start with, go for the CEH (it can't hurt).  If you want to take
a
more detailed, OSTMM sponsored test, take the OPST.  What the hell, take
both if you really like a challenge :)




---------------------------------------------------------------------------
----------------------------------------------------------------------------