SANS SEC542/GWAPT Review

I February 2017 I participated in the SANS course SEC542 “Web App Penetration Testing and Ethical Hacking” held by Spanish instructor Raul Siles in Oslo, which I followed up taking the certificate attempt for GIAC GWAPT. Here is my feedback on it.

Class Environment

The course was held in Radisson Blu Plaza Hotel which was really amazing. The class room was clean, big and everything you would expect from a premium hotel. Everything from coffee, smoothies, cookies, fruits and other small dishes were available throughout each day, right outside the class room. In the first days we were disappointed by the lunch, because it was too little food. We were just given a single plate with some grams of fancy food on it. This was quickly changed and we got free for all buffet with tenderloin and other premium tasty food for the rest of the course.

Class Content

The course material is of really high quality and seems to be updated and polished by feedback after each held course. I wish we also got the material as PDFs and not just on paper, but the reasoning being pirating issues. The amount of theory and practice seems perfect, but overall the material is rushed through. The reason is that there is so much content and so little time. Be aware that if you lack general Linux and web skills you will fall behind very quickly. I would never suggest going to this class without the prerequisites described in the course details. I also think you will learn a lot from this course even if you know 90% of the content before hand, because you will relearn everything from a another angle and make you think differently about things. The CTF contest was really fun and a perfect ending for the course!

Each day lasted from 9:00 a.m. to 5:00 p.m and the content was structured over the week like this:

• Introduction and Information Gathering
• Configuration, Identity, and Authentication Testing
• Injection
• JavaScript and XSS
• CSRF, Logic Flaws, and Advanced Tools
• Capture the Flag

I wish each day started earlier and/or lasted longer to get through the content at a more peaceful phase.

The Instructor

The instructor, Raul Siles seems highly technically talented and always keeps up with the scene. The only issue I have with him is that his English is far from perfect, pronouncing words with heavy accent. Mix this with his really fast way of talking and you have a bad combo. He is also a mastermind at referencing The Matrix, which I regard as an important skill.

The GIAC GWAPT Certification

Some time after the course I started a practice exam without rereading the content to see where I was standing. I passed the exam with ease, which is built up of 75 questions with multiple choice answers. I can’t stress enough how bad this concept is, because this is the worst form of an exam there is. A certificate should be practical and hard, to reward talented people and not be available to anyone with money. Not only are questions stupid, but there are questions that try to trick you, which doesn’t prove anything at all. Questions like “How do you write a comment in programming language X?” is worthless. I would say about 20-30% of the questions from the practice exams is included in the final exam, and if you really want to, I bet there are brain dumps all around on the Internet. I gave feedback on a lot of questions and we will see if they will do anything about them.

I really hope no employer takes this certificate seriously, because this is pure pay to get. I will probably write another blog post about how rotten the certificate industry is and compare each one.

Pricing

The total price for the whole course including two online practice exams and an actual formal exam on location was 6509 EUR. I was lucky enough to live nearby so I didn’t have to rent a hotel room during the course, which would up the price even more. Although the course is quite expensive, I honestly think you get more from this one week than multiple classes at a university. The course costs lot of money and feels like a robbery when you compare it to PWK/OSCP, where you get 30 days lab time, course material and a certification attempt for $800. The GIAC certification also only lasts four years, which means you need to spend even more money on renewing them. Though you can partake in another course to renew your other certifications, which doesn’t make any sense, other than to get more money.