Hacker Newsnew | past | comments | ask | show | jobs | submit | appsecengthrow's commentslogin

truer words were never spoken

cryptopals was the reason I got into security, everything just pales in comparison.


It always makes my day when people say stuff like that, though cryptopals probably wouldn't be in my top 3 entry-level things for people otherwise considering a certification. Thank you!


I believe that certifications that don't have a practical aspect to them are totally worthless. I work in appsec and recently completed OSWE. The coursework was ok, nothing groundbreaking, learned a cute trick here and there.

Would I recommend it? Yes, especially if the company pays for it.

Company that I work for allows people to spend weeks of their working time preparing for top CTF contests and that is valuable because it is something practical. Just don't waste your time memorizing answers to exam questions.


Why would you recommend OSWE? What's an example of a specific benefit you'd get in appsec (also my specialization!) by holding that certification?


An example would be to be able to read source code in different languages (Java, PHP, JavaScript, C#) and be able to identify, chain vulnerabilities and write an exploit script to automate everything.

You can find the syllabus here: https://www.offensive-security.com/awae-oswe/


You're suggesting you might consider getting OSWE in order to learn appsec?


I would not recommend OSWE to learn appsec since it is teaching "Advanced Web Attacks" and assume that you know the basics.

Something that is really interesting I think is the whitebox approach that some people in infosec might be missing if they don't come from a developer background and never botherered looking at the code introducing the vulnerabilities.

If you want to learn appsec I recommend Web Security Academy: https://portswigger.net/web-security


PortSwigger is great. Certifications, on the other hand, are not a good way to learn appsec.


No specific benefit or skill.

Just that I would recommend it because I felt good going through the challenges and that someone took the time to set up VMs and writeups for me.

In conclusion, it was more of a consumption thing than an investment.


Application Security Engineer here. For a developer I would recommend the OSWE certification which takes a more code-centric approach and resources such as https://portswigger.net/web-security and The Art of Software Security Assessment book. You can also leverage your DevOps experience for learning about server, app and cloud misconfigurations and their impact on security.

The demand for network security is not as high as for appsec people and I personally don't see network security as very rewarding (intellectually and financially).

For the Pentesting route I recommend trying some HackTheBox and watching Ippsec's channel (https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA). OSCP is fine, but it is a beginner certification and definitely not enough for getting a Pentest job.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: