Penetration Testing mailing list archives
RE: OPST vs CEH
From: "Pete Herzog" <pete () isecom org>
Date: Fri, 13 Feb 2004 21:44:30 +0100
Hi, There seems to be some confusion on "certification" regarding the OPST. I hope I can clear this up here for most of you. OPST and OPSA are accredited university classes for which we do provide a certifying exam, aka: certification. While the list of universities providing this is growing, we also have training partners who provide both a version of the university class in bootcamp or similar style and those who provide only the exam with their own pen-testing class before it. I agree with the one poster who said that you should be wary of certs that are based on their own classes. Our classes are based on a public, free, peer-reviewed methodology, even if it is one we publish. Additionally, anyone can teach their own classes to provide the exams. We make no rules regarding the materials except that we want to review them to assure the rules of engagement are applied. OPST is only one side of the coin teaching a professional security testing class teaching a variety of techniques to ascertain the security posture of a system or network, based on the OSSTMM. As you may or may not know already, the OSSTMM does not focus on penetration per se and does not focus on vulnerabilites (bugs). Its focus is primarily testing misconfiguration and poor process for which vulnerabilities are a sign for. The other side of the coin is the OPSA which focuses on what to do with the data you collected during a test. How to read the signs. Together, the OPSA and OPST are a strong course in what a security tester needs to know and be able to accomplish from estimate to final report and client meeting (workshop). It also includes the Rules of Engagement which is as much a code of ethics for security testers as it is for any company providing security. Together the classes accredit a person to provide official OSSTMM Audits valid for insurance companies, government requirements, and any company who needs practical security measures which can actually be measured and repeated. Companies who come to ISECOM are often looking for a way for the OSSTMM to ease the burden of extensive interviews ISO17799 audits where it is more practical use tests in place of interviews (no flames please as no one is looking to fully replace ISO17799 with automated tests). That is the certifying nature of OPST and OPSA- to serve a purpose for accrediting professional security testers. While you talk about the certifying process of SANS, CISSP, etc., please understand, for this, ISECOM has the academic alliance where we integrate, for example, OPST and OPSA into ESADE's (www.esade.edu) Business Information Security Class of the ESADE MBA program and La Salle's (www.salleurl.edu) Masters Class in IT Security. Here the certifying process is on behalf of the university to complete where we provide a part of the process. And it's for this reason, the OPST and OPSA Certificates carry both the La Salle and ISECOM seal. Should SANS, (ISC)2 or anyone else who may choose to offer the OPST or OPSA then hat would not change our position on this. For ISECOM, as for most, the process is learning, gathering experience, and improving yourself. A university degree, a successfuly completed track, and well read and dog-eared security book are all a part of the process. Whether or not a certification is good based on it being "hard" is fairly subjective. I hope this clears up our position of ISECOM and "certifications" a little better. Sincerely, -pete. Pete Herzog, Managing Director Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
-----Original Message----- From: Patrick Prue [mailto:pprue () cogeco ca] Sent: Thursday, February 12, 2004 05:07 AM To: Bartholomew, Brian J; pen-test () securityfocus com Subject: Re: OPST vs CEH I do have to agree with Brian on the one point Track 4 is not intended to teach pen-testing. I do hold the GCIH certification and have for a number of years now the main focus of the materials taught and the certification as I view it is more leaning towards the whole incident handling cycle , having the knowledge of the hacker techniques and exploits makes you a better incident handler when it comes down to looking at the root cause of the compromise in the first place. The certification process can be very rigourus and challenging at times . And as I see the original question poised I guess the whole intent is what exactly are you hoping to get out of it . The OPST certification seems alot more centered around the whole methodology of Pen Testing and how to perform it . Seemingly if this methodology was performed by many pen testers they should each turn out a very similar result and report when drawing up the final reports. Just my 2 cents.. Patrick Prue GCIH
--------------------------------------------------------------------------- Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection Protect your network with the comprehensive security solution that integrates six applications for ease of use and lower TCO. Firewall - Virus protection - Spam protection - URL blocking - VPN - Wireless security. Download 30-day evaluation at: http://www.astaro.com/php/contact/securityfocus.php ----------------------------------------------------------------------------
Current thread:
- RE: OPST vs CEH, (continued)
- RE: OPST vs CEH Matthew Stein (Feb 06)
- RE: OPST vs CEH Bartholomew, Brian J (Feb 06)
- RE: Learning vs. Play Time Robert E. Lee (Feb 07)
- RE: Learning vs. Play Time Clement Dupuis (Feb 12)
- RE: Learning vs. Play Time Robert E. Lee (Feb 07)
- RE: OPST vs CEH Don Parker (Feb 07)
- Re: OPST vs CEH Ben Nelson (Feb 11)
- RE: OPST vs CEH Bartholomew, Brian J (Feb 11)
- RE: OPST vs CEH wjnorth (Feb 12)
- credentials & experience (was: Re: OPST vs CEH Meritt James (Feb 16)
- Re: OPST vs CEH Patrick Prue (Feb 13)
- RE: OPST vs CEH Pete Herzog (Feb 16)
- RE: OPST vs CEH wjnorth (Feb 12)
- RE: OPST vs CEH Don Parker (Feb 12)
- RE: OPST vs CEH Don Parker (Feb 13)
- RE: OPST vs CEH wjnorth (Feb 16)