8

Currently finishing my degree in computer security and have a few years experience in IT support and want to get into a junior pen testing job or similar.

Would the OSCP certification do me any favours, does it carry any weight? Is it recognised by companies in the UK? From what I've read the OSCP seems to be the most enjoyable and actually involves using your brain while the others are mostly read book pick multiple choice question.

Really what else can I do to improve my chances of getting a job interview, I've got a home lab that I experiment with bar that and my degree iv not got experience.

Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
com truise
  • 81
  • 1
  • 1
  • 2

4 Answers4

3

Unfortunately in UK, most companies want you to have the local ones, CREST and CHECK, and of course SANS. OSCP doesn't sell as much as them and ISC or EC-Council.

My advice for you would be to first start with CEH, then GPEN and with a more experience, you can go for OSCP.

To be honest, OSCP is not an entry-level into the world of PT, I would first suggest you to practice all the Metasploitable, DVWA and those tutorials, get a couple of books like Metasploit: The Penetration Tester's Guide, Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide and most importantly, motivation, and practice.

Now, having these certifications is a plus, but when you get an interview, at let's say big 4, security boutiques, telcos and the like, the most important is for you to be able to communicate the issues with the client at all levels. The thing is, there is no real way to "learn" that. Apart from that, you need to have solid networking skills, understanding of OS, databases and how everything communicates, basic scripting and the like. A very simple question like:

Let's suppose you're doing a PT, and in the middle of it, you trigger something, the exchange server crashes, client wants you to continue with the PT and meet the deadline but without touching the exchange server

The best for you would be to get a job as a network admin, (junior pentest opportunities are out there, but extremely hard to find) and most of these...well they won't teach you anything you cannot find on the internet, they will most likely never send you to meet with a client and discuss how you're going to scope a pentest and the approach you will take.

Good luck really! Try maybe working as a security consultant and talking with the guys that do PT and gain experience, it's a lot about self study.

winsmak
  • 59
  • 1
  • 8
  • 1
    OSCP is CREST-equivallent: http://www.crest-approved.org/professional-qualifications/oscp-and-crt-equivalency/index.html – schroeder Jul 11 '16 at 22:00
  • @schroeder CRT is an entry-level one. Offensive Security doesn't mention anywhere that CRT is equivalent to OSCP. So it only works one way. As of today, OSCP holders still need to sit CPSA to get CRT-certified – winsmak Jul 11 '16 at 22:25
2

OSCP is recognized in infosec. Others include CEH and the myriad of SANS certs (SANS certs probably have better brand awareness in general). Though certs are nice to have and may open doors (only with HR), experience is more important than pure certs. In other words, if you want to work with an "elite" group of pentesters, certs may not carry much weight. However, if you want to work for an organization that "churns and burns" pen testers, having an OSCP may get you the job.

If anything, consider actively participating in the infosec community. Security conferences are always looking for volunteers and volunteering offers you the chance to learn important concepts and industry trends for a low (or no cost) and can give you chance encounters with key people in the community. Infosec europe just rolled through London but there are plenty of other groups/conferences that you can attend.

bangdang
  • 1,824
  • 11
  • 9
2

As long as you understand what a certification is for. The training for the OSCP is what you really want. The paper at the end is simply a trophy.

As I have said before, it's not the certs you have but it's what you have done that counts. If you can explain in a single sentence how you have accomplished a task in the past, then that is more valuable than the cert. The PWB class can help you get that experience and give you the tools to gain even more.

My advice: get the training and get the cert. Put it on a resume, but focus your resume instead on what you have done, in practical terms. After the course is done, continue to take on new skills, learn one new tool or technique every week, and participate in the security community.

Certifications can get your foot in the door of opportunities to work with the pros in the field and work with them. Leverage it, and your own skills, to be able to take on new challenges.

Good luck!

schroeder
  • 123,438
  • 55
  • 284
  • 319
2

In the UK yes, OSCP is the way to go in my opinion, it is well recognised within the industry because the exam is hands on, the labs are great too.

The real "must have" certifications for UK pen testers are CREST and CHECK certifications though, but they are aimed at pen testers experience and for CHECK you need to have security clearance.

Start with OSCP and go slow, learn everything you can from the course and it will serve as a really good introduction to finding and exploiting vulnerabilities. Also be sure to learn operating systems administration at a good level, this is important because a lot of penetration testing is performing actions of normal users or administrators but with intent to reach a specific goal such as stealing information.

airloom
  • 366
  • 1
  • 5
  • 1
    How does OSCP compare to CREST or CHECK? Does OSCP help you when you go for CREST/CHECK, or are they too different? – schroeder May 07 '12 at 17:55
  • OSCP and CREST signed a partnership as of 2015. http://www.prnewswire.com/news-releases/crest-signs-new-partnership-with-offensive-security-to-improve-the-standards-of-information-security-520589702.html – Shankar Narayana Damodaran Sep 19 '15 at 16:23