I February 2017 I participated in the SANS course SEC542 (Web App Penetration Testing and Ethical Hacking) held by spanish instructor Raul Siles in Oslo, which I followed up taking the certificate attempt for GIAC GWAPT. Here is my feedback on it.
The course was held in Radisson Blu Plaza Hotel which was really amazing. The class room was clean, big and everything you would except from a premium hotel. Everything from coffee, smoothies, cookies, fruits and other fancy small dishes were available throughout each day right outside the class room. In the first days we were disappointed by the lunch, because it was too little food. We were just given a single plate with some grams of fancy food on it. This was quickly changed and we got free for all buffee with tenderloin and other premium tasty food for the rest of the course.
The course material is of really high quality and seems to be updated and polished by feedback after each held course. I wish we also got the materiall as PDFs and not just on paper, but the reasoning being subject to pirating. The amount of theory and practise seems perfect, but overall the material is rushed through. The reason is that there is so much content and so little time. Be aware that if you lack general Linux and web skills you will fall behind very quickly. I would never suggest going to this class without the prerequisites described in the course details. On the other hand I think you will learn a lot from this course even if you know 90% of the content before hand, because you will relearn everything from a another angle and make you think differently about things. The capture the flag contest was really fun and a perfect ending for the course!
Each day lasted from 9:00 a.m. to 5:00 p.m and the content was structured over the week like this:
- Intruduction and Information Gathering
- Configuration, Identity, and Authentication Testing
- CSRF, Logic Flaws, and Advanced Tools
- Capture the Flag
I wish each day started earlier and/or lasted longer to get through the content at a more peaceful phase.
The instructor, Raul Siles, which works as a pentester outside of holding SANS courses, seems highly technically talented and always keeps up with the scene. The only issue I have with him is that his English is far from perfect, pronouncing word quite different from the way thay are ment, mix this with is really fast way of talking and you have a bad combo. He is also a mastermind at referencing The Matrix, which I value as an important skill.
The GIAC GWAPT Certification
Some time after the course I started a practise exam without rereading the content to see where I was standing. I passed the exam with ease, which is built up with 75 questions with multiple choice answers. I can’t stress enough how bad this concept is, because this is the worst form of an exam there is. A certificate should be practical and hard, to reward talented people and not be available to anyone with money. Not only are questions stupid, but there are questions that try to trick you, which doesn’t prove anything at all. Questions like “How do you write a comment in programming language X?” is worthless. I took my other included practise test the day before the actual exam and I passed both. I would say about 20-30% of the questions from the practise exams show up in the final exam, and if you really want to I bet there are braindumps all around on the Internet, which will improve your chances of passing even more, but I doubt anyone will need it. I gave feedback on a lot of questions and we will see if they will do anything about them.
I really hope no employer takes this certificate seriously, because this is pure pay to get. I will probably write another blog post about how rotten the certificate industry is and compare each one.
The total price for the whole course including two online practise exams and an actual formal exam on location was 6509 Euro. I was lucky enough to live nearby so I didn’t have to rent a hotel room, which would up the price even more. Although the course is quite expensive, I honestly think you get more from this one week than multiple classes at a university. 5645 Euro is a lot of money and feels like a robbery when you compare it to OSCP, where you get 30 days lab time, course material and a certification attempt for $800. Although not taking into account the class environment with food, snacks and peers to form connections with.
This is only my subjective personal view and should not be affiliated with my employer.