Choosing A Web Security Certification

How to Choose a Web Security Certification?

If you’re looking for a web security certification, you might have the same dilemma I had some time ago: which web certificate should I choose?. There’s a bunch of certifications created with web security in mind from industry recognized vendor-neutral providers like SANS GIAC, CREST, CompTIA or Offensive Security. And that’s only naming a few. As each one of us has different backgrounds, interests and goals, there’s a big chance that we will also have different experiences with a certain certification.

Personally, I ended up choosing the Offensive Security Web Expert certification from OffSec (see my OSWE/AWAE journey). I narrowed it down to GIAC GWEB vs GIAC GWAPT vs Offensive Security OSWE. But you should choose one that best helps your career. Here are the factors I considered before choosing a web security certification.

Price of Web Security Certifications

Price is probably one of the most important factors for people wanting to join the industry. A GIAC preparation course and exam will set you back over $7000, while Offensive Security certifications are more in the $2000 range. Which is far more affordable. You can also only take a GIAC exam which is approximately $2000. GIAC certifications are highly appreciated though by thousands of companies and most US government agencies. There are employers there that pay for security certifications (on a yearly budget), so that’s one way to get one from GIAC. If you’re on your own, better start with whatever you can afford.

Focus of Each Web Security Certification

While GWEB, GWAPT and OSWE are all web certifications, each one focuses on a slightly different thing:

• GIAC Web Application Security Certification - GWEB is geared towards Software Development and defensive web-application security. Some of the covered topics: Access Control, AJAX, Security Testing, Authentication, CORS, CSRF, File Upload, Protecting Sensitive Data, Input Related Flaws and Input Validation, Serialization, Session Security.
• GIAC Web Application Penetration Tester - GWAPT is focused on the penetration testing of web-apps and offensive security: authentication attacks, configuration testing, session management, SQL Injection attacks, Cross Site Request Forgery, reconnaissance and mapping, etc. I already took the Offensive Security Certified Professional certification which covers some of these aspects, so I figured I wouldn’t get that much information from it.
• Offensive Security Web Expert - OSWE leans towards the offensive side of web-app security, as you build exploits by chaining multiple “inoffensive” (as in low severity) vulnerabilities. The unique aspect of the Advanced Web Attacks and Exploitation course is the way you find vulnerabilities: you get access to the application source code (white-box testing). So it also touches base on the defensive side. Why? Because reading code is a big part of being an Application Security Engineer.

This appealed to me and it was the deciding factor in choosing a web security certification. Mostly because reading source code is actually something that I do frequently at my day job. All the mentioned certifications have preparation courses and have course syllabuses published online. So you can take a look at those to get an idea on the subjects they approach.  

Web Security Certification Validity

Some web security certifications are valid for life, while others have to be renewed every few years. Offensive Security courses fit in the former category, as they don’t have an expiration date. This may count as a big plus for some. GIAC courses however have to be renewed every 4 years. Other providers might have even smaller certification validity periods.

The renewal fee for GIAC courses is not huge (~430 USD at time of writing), however it’s something you have to consider. I think though that there are people that don’t renew them. Reasoning is that you already have the knowledge, at least if you work in the field and actively used those skills. Otherwise, some knowledge will be eventually forgotten. And security moves fast.

Duration of Study and Preparation

GIAC preparation courses used to be available only in a 5 day in-person session, but with the Covid19 pandemic, almost every course is now also available online or on demand. So you can follow them whenever you have time. They still offer online live online sessions, so if you go with that, prepare yourself to take 5 days off from work to participate in the courses. There are courses in several timezones, so you should be able to find one that fits your needs. In terms of resources, you’ll get some material heavy books (1 book/course module) that will be all you’ll need for the exam.

Because the GIAC exams are open book and you have a relatively short time to answer a question, on top of the huge amount of material you need to comb through, most people end up building indexes. It’s a common thing for GIAC certifications. You can bring the book index in the exam to help you find things faster (more on this in the Exam section). It will take some time, but it’s definitely worth it. It’s recommended that you build the index as you go through the course (eg: work on it each evening). This will help cement information and speed up the index building process, as opposed to doing it after the course.

The AWAE course used to be an in-person training that sold-out very quickly. For some time now, it has become available on-demand. You get great resources (PDF & videos), however in typical Offensive Security style, depending on your knowledge, you might have to lookup certain things. This means that depending on the skills you already have, it might take you more or less to understand a certain topic. Hence it will affect progression though-out the course. This also creates some difficulty in estimating when you are prepared for the exam. For GIAC courses, you have your books and index and you KNOW that you have everything. In Offensive Security courses, it might take some time until you get to that level of certainty (even after going through all the materials).  

Web Security Certification Exam

A contributing factor to the above mentioned uncertainty is that you don’t have practice exams for Offensive Security courses. So you don’t really know what the exam will be. And it’s prohibited to share details about it, so you probably won’t find any. On the other hand, GIAC offers practice tests in which you get a feel about potential exam questions. GIAC exams are question based (75 questions) and are usually limited to 2 or 3 hours (for GWAPT, GWEB). As mentioned earlier, GIAC exams are open-book, so you can bring your course materials and the so called “index”. Nothing else is allowed.

On the other hand, Offensive Security are known in the industry for their “Try Harder” motto. Their exams are hands-on (no questions), but more like “hack this and write a report on how you did it”. Because of this approach, the exam duration for AWAE is 2 days. Plus an additional day to write and submit the report. Yes, that is correct. It might sound like a lot of time, but it goes by quickly when reading tons of code. It’s enough time to finish, but there a few reviews online from people who didn’t make it in that allocated time. Either way, in case you go with AWAE, make sure to take 3 days off for the exam. On the bright side, you’re free to look-up anything online during the exam.

A Note On Proctored Exams

All online exams are proctored. You have make sure the proctoring software works fine. And that it stays that way. If it doesn’t, they have the option to fail your exam. That’s might not be a big problem for GIAC, where exams are short, but it’s a different story for Offensive Security certifications. Initially I found it a bit weird that someone will look over me for 48 hours, but at a certain point I got used to it. And even forgot about it. And almost ended up regretting that. Don’t be like me. Don’t forget.

So What happened? I worked on something for hours, “in the zone”, and forgot to check the proctoring software. At a certain point, I started having VPN issues and couldn’t understand why (you need a VPN connection to the exam machines). When I tried to ask the proctor what’s happening, I had a mini panic: the proctoring software wasn’t connected anymore for some time, and I had a few messages from the proctor (“are you there?”).

I realized that they probably cut my VPN access because of the proctoring software disconnecting (VPN is activated only after the proctor verifies everything). At this point, the proctoring software wasn’t reconnecting for some reason. After some router restarts, DNS cache cleans, etc, I decided to switch to a backup Internet connection. And like magic, it started working. Hmm.. Lesson learned: have a backup internet connection for proctored exams. And it should be a good one, as it needs to support webcam video, screen sharing and your exam traffic.  

Web Security Certification Skills & Background

There are several reasons why someone would get a web security certification. Developers and architects passionate about security might want to improve their web-app knowledge. Perhaps some want to switch career paths to Application Security. They might already have some knowledge from their Software Engineering days and a web security certification would help cement or confirm that information, while also helping one’s career.

Seasoned Security Engineers and Penetration Testers have the same goal of improving their knowledge. They might be able to reverse engineer malware, but lack deep information on web-app security. Or they have basic web skills, but want to deep dive into a more advanced subject. So they also get value from obtaining a web security certification.

The GIAC courses give you all the required information for passing the exam. So if you take the course, you just need to learn the books and build a good index. If you only get an exam voucher, you could try to learn the subjects based on the course syllabus. However, there’s always the risk that you’re going to miss something. There are no prerequisites in terms of courses or skills for either of the 3 mentioned web security certifications. However, I think that a Developer background is useful if you go for GWEB or OSWE, and a pen-tester one for GWAPT.

OSWE is considered an advanced certification by its makers, Offensive Security. Passing the OSWE certification involves reading and understanding code in various programming languages. Because of this white-box approach, having solid Software Development skills can be a huge advantage for this particular certification in terms of how easy or hard you perceive the exam. Some Linux/Windows command line skills are useful for the exam, as you would have to do most things this way, without using a fancy IDE. Again, the course syllabus is a great starting point, if you want to prepare ahead.  

Are Web Security Certifications Useful?

There’s a long debate about the usefulness of certifications in general. Some people argue that certifications don’t offer too much value, especially if you already have work experience in the field. I think they can help in several ways: they prove you are (or were) familiar with a particular skill or tool. And that’s helpful if wanting to join the industry or if you’re a seasoned security guy.

First of all, you learn a ton from the GIAC and Offensive Security courses. So that alone is enough of a reason to get a web security certification. Even though you might forget some things, you will be aware of their existence and be able to lookup information whenever needed. Because of the hands-on approach of Offensive Security courses, I think that skills picked up there tend to stick a bit more, compared to GIAC courses. But in the end it depends on how much you actually apply that knowledge in your day to day activity.

Certain security positions require a specific certification, so having it will help you pass the HR screening and might convince the Hiring Manager to pick you over some other candidate without one. Note that these people probably aren’t very technical, so even if you have the skills, you might not get the chance to prove them when you’re in a pool of 200 candidates and 50 of them have certifications. People working in DevOps or Software Engineering would also benefit from web security certifications. These might help people interested in security, make the move to DevSecOps or Application Security roles.

What is the Best Web Security Certification?

There probably isn’t such a thing. You need to choose the one that suits your needs best. If you still have doubts, perhaps my experience with OSCP and OSWE will help you make a decision. Hope this helped and good luck in you security journey!