4

I'm looking for a certification for Web Application Security and Web Pen Testing. Via Google I found the following two:

How well is there reputation? Are there other ones? How difficult are they? What is needed for preparation?

Gumbo
  • 2,003
  • 1
  • 13
  • 17
free_easy
  • 169
  • 1
  • 4

5 Answers5

3

I've not done the GIAC one, but I have got the CREST Web Application Tester certification, so I can comment on that.

  • I'd say it's pretty well regarded, specifically in the UK penetration testing/ethical hacking industry. The CESG equivalency that @RoryAlsop mentioned is important for government work in the UK and it's also regarded as a good indication of a candidates skill match for UK testing companies (as several of the larger ones helped to design it).

  • As I mentioned on another question recently, I reckon that the CREST exam is the hardest professional exam I've taken. To put that in context I've done ~30 professional exams across IT and security over the last 15 years. It's got a tight time constraint and requires practical knowledge as well as theoretical knowledge to pass.

  • Preparing for it can be tricky as (as far as I know) there's no specific training course you can take. Personally I wouldn't recommend trying it unless you're an active web app. tester. If you are going to take it then review the syllabus that's available on their site and make sure you're comfortable with all the areas it mentions. Also I'd recommend reviewing the Web App Hackers Handbook, and ensuring you're comfortable with the various areas that it describes.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
2

You might want to see the following questions on this site: Professional certifications for IT Security and International pentester certification. They give some partial information about various certifications, even if it is not necessarily everything you are looking for.

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
1

There aren't a huge number of certs around, especially if you are looking internationally.

First off, have a look at the International link in D.W's answer.

Personally, I think the two you have found have the highest reputation in the UK, but you could also look at the Tiger Scheme for another perspective. Like CREST it holds CHECK equivalency from CESG, the National Technical Authority for Information Assurance in the UK.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
0

I would like to recommend Vendor-Neutral Certification (SWADLP) Secure Web Application Development Life-cycle Practitioner.

Scope of Secure Web Application Development Lifecycle Practitioner (SWADLP) program is for anyone who is involved in Application Development process from both Management and Technical front.

Management (Program/Project Managers, Assurance Team, Leads, IT Director/Manager)

  • Methodologies for Security Risk Evaluation and Management

  • Implementation of Security Controls at Low Cost

  • Integrating Security across Life-cycle

  • Gathering correct Security Requirements

  • Building Security Checklist

  • Deployment of Security Gates

  • Handling Security Compliance & Regulations

  • Security Patch Management Program

  • Managing Security Assessment Processes

    Application Development Engineers (Architects, Developers & Testers (QA) -

  • Secure Design Implementation, Review and Optimization

  • Secure Coding Practices & Review Guidelines

  • Security Testing methodologies, tools & techniques

  • Analysis, Detection and Handling of Application Security Threats

Software Consultants and Analyst Web Application Security (Penetration Testers, Auditors, Analyst and Consultants)

Anyone, who wants to deep-dive into Web Security Testing process, Tools & Techniques https://www.hack2secure.com/certification/web-application-security-swadlp

Community
  • 1
Naveen
  • 1
  • Are you affiliated with hack2secure? If so, could you edit your answer to mention as much (and possibly, if you are not, edit your answer to say as much). SWADLP _seems_ to be delivered only by hack2secure, hence the question. Per https://security.stackexchange.com/help/promotion, if you were linked to them, you should make that clear. – iwaseatenbyagrue Mar 20 '17 at 08:38
0

I would checkout the OSWE (Offensive Security Web Expert) certification by Offensive-Security. https://www.offensive-security.com/information-security-certifications/oswe-offensive-security-web-expert/

Offensive Security is known to give one of the most hands-on certifications you can get. No multiple choice questions, 100% hands-on over a 24-hour long exam. If you pass it, there is no one that can refute your skills. It is truly a difficult exam.

I have seen this certification popping up on a lot of job postings under "Desired skills" as well as Offensive Security's OSCP (Offensive Security Certified Professional) certification.

A colleague of mine who took one of Offensive Security's certifications said after he added it to his LinkedIn resume, he was getting contacted at least once a week for job interviews.

nd510
  • 1,738
  • 1
  • 10
  • 15