2024-05-18 00:17:00
I guess most people know by now that I'm a sucker for beta-testing exams. CompTIA went live with not one, but two new betas!
They have published the exam objectives here.
I just spent five hours doing a comparison of the PT0-002 and PT1-003 objectives. The changes to Pentest+ are pretty extensive. Many small details are swapped out. Two big areas are swapped: there is much less focus on mobile (app) pentesting and there is much more focus on the SDLC and containers.
Here's my comparison. It shows which objectives were carried over from 002 to 003, but also which were added (green) or removed (red).
kilala.nl tags: studies,
View or add comments (curr. 0)
2024-05-13 08:58:00
This weekend I had a few spare hours to laze around in my hammock. What better way to spend them, than to do some quick brushing up on my training skillset?
Logical Operations, have a training and certification they call MCCT: Modern Classroom Certified Trainer. It is currently discounted to $95, including the exam and cert.
MCCT is very clearly targeted at trainers who need to migrate from classroom to digital teaching. The training and certification do not go into didactics and curriculum creation, it is purely about achieving success in digital / remote / asynchronous training.
MCCT is by no means a replacement for CompTIA's now-retired CTT+.
Training materials consist of 2.5h of video, a PDF book and slide decks. The exam are 48 multiplechoice questions, 36/48 needed to pass. The exam is untimed, unproctored and open book.
My opinions on the matter:
Jon's training impressed upon me once again the importance of community-building, especially in an async class. Yet again that makes me amazed that Practical DevSecOps appear to actively discourage community-building in their trainings.
kilala.nl tags: studies,
View or add comments (curr. 0)
2024-05-10 17:12:00
It's been almost a year since I last fired up my homelab. I haven't had a need for the 20+ VMs since I did my Ansible and CDP exams as just about all the other exams I prepared on a smaller, local env.
A few weeks back I decided to fire up my R710 again, to see if everything still works. It's antiquated and it runs a version of VMWare ESXi 6.5.x. Since its boot drive is a USB flash drive, I was a bit worried.
Lo and behold, I am greeted by a pink/purple screen that says:
failed to mount boot tardisk
Whelp... I have some inclination what that means and I don't like it. Unfortunately the Internet also wasn't of much help, as that exact error appeared once on a German forum.
After some messing about, I'm happy to learn that my USB boot drive still had a recovery option! Pressing <shift><r> when told to, pops me into recovery mode. It tells me I can restore a previous install (which curiously had the exact same OS version), which I did.
By the sounds of it, all my VMs are booting again. :)
Now to make a backup of that flash drive!
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2024-02-02 07:28:00
In 2020 I took the CV1-003 CompTIA Cloud+ beta. Back then I wasn't really impressed with the quality of the exam. Well, it's time for the next version!
A few weeks ago I took CV1-004 for $50, to see if it's better than last time. Yes, but no.
The questions on the new beta were more diverse than last time. And I still like the exam objectives / curriculum. But in general, I wasn't a fan of the exam questions. I know CompTIA often has questions where you're not supposed to think from real-life experience, but this time around it's really pretty bad. Know that meme of grandma yelling "that's not how any of this works!". Well that was me.
Especially the PBQs felt like CompTIA were struggling to come up with something that works. And if I have to see one more white-clouds-on-blue-sky stock photo I'll scream.
Jill West, an instructor on CIN, wrote it pretty eloquently:
"That was a bizarre exam. Only one of the PBQs really seemed appropriate to the test [...] Some other questions seemed like someone was looking at the objectives to write their questions but didn't really understand the concepts; they just used several items from the objectives as "wrong" answers when those options really weren't congruent with each other [...]"
So yeah. If there's a student interested in learning about cloud computing, I would suggest the read the materials, but I wouldn't suggest they'd take the exam.
===
After passing PDSO's CASP API security exam, I thought I'd look at some of their competition. I'm still going through APISec University's courses (which seem good), but I also gave their CASA exam a quick shot.
In short: I will definitely recommend their training materials to students, but not the CASA. CASA is:
Points 2, 3 and 4 unfortunately mean that, from an employer's point of view, the certification isn't worth much because there's no guarantee that whomever has it didn't cheat in some way. Basically my biggest critique of PDSO's exams as well (which has points 2 and 3, but not 4).
The questions on the test were well written, so that's something. They are a decent way for someone who's taken the APISecU classes to test themselves. And the potential employers will simply need to do better BS-testing in interviews. :)
kilala.nl tags: work,
View or add comments (curr. 0)
2024-01-21 15:21:00
In the months leading up to my PDSO CASP studies I read José Haro Peralto's "Microservice APIs". On and off, between classes and between other things I was learning. It's been a long read, but I can heartily recommend it.
I can honestly say that José's excellent book is what taught me the most I now know about how APIs work! And it most certainly made a lot of things clear, which I also learned about in CASP.
Before I read "Microservice APIs" I had a foundational grasp of how REST and SOAP APIs look from the outside, as consumer. I'd used OpenAPI specs, I'd read through WSDL files and I'd made API calls through HTTP. But I never really understood how it all worked on the server side.
José's book makes all of that server side magic crystal clear!
The book explains foundational and deep technical aspects of building multiple interacting APIs, which together form the backend of an online coffee product shop. And José shows all of it! All the Python code to load the frameworks, to write the queries and to build the endpoints. All of the code needed for GraphQL and two different REST implementations. And even a bit of authentication and authorization! Heck, appendix C of the book turns out to have exactly what I was looking for when I wanted to learn about integrating OIDC and OAuth into the authorization checks of an API!
If you hadn't guessed yet: "A+ would recommend".
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2024-01-21 11:22:00
Almost a month ago I started my studies for PDSO CASP, or Practical DevSecOps - Certified API Security Professional. That's a whole lot of words!
I've taken two PDSO classes and exams before: CDP in 2021 and CTMP in 2023.
Yesterday I took the exam and boy-howdee! did I get off on the wrong foot! I thought I'd booked the exam to start at 0800, but when I was brushing my teeth at 0645 the exam instruction email arrived! My own fault and luckily I was at my desk in fifteen minutes... I didn't miss any time, I was just a lot less relaxed than I'd hoped to be.
It was fun to do another hands-on hacking exam! Six hours of happy hacking! Having said that, I have one thing to nag about.
The exam did not test anything new. PDSO themselves in their training materials always advise: (paraphrased) "if you do all the labs and take careful notes, you will do well on the exam". They said it with CASP, they said it with CTMP and with CDP.
With CDP there was additional depth to the exam insofar that you needed to apply concepts that you had learned to new technology. For CASP that did not ring true. And I understand why PDSO took this approach. CDP was about implementing CI/CD pipelines, while CASP is about attacking (pentesting?) APIs. And one does not "simply pentest" five different APIs in six hours time.
In my feedback to PDSO (and I gave plenty of it) I suggested that they could make a proper competitor to APISecU's ASCP exam by creating a second, longer and more in-depth exam. If PDSO made CASE (certified API security expert) which lasts twelve hours and has you do proper recon and attacking, I'd be all over that!
In essence the difficulty level of PDSO CASP is not defined by the technical challenges, but by time management and by foundational understanding. If you didn't do the training and labs, or if you don't have prior API pentesting experience you will fail. And if you cannot do those five challenges in six hours, while collecting evidence (screenshots, logging, code), you will fail.
Speaking of which: the reason why my reporting went so well, is because I ahdere to the most important lesson I learned from BHIS and John Strand: "Document as you go."
You will need to be picky about how you attack the challenges and you will definitely need to timebox. In my case the challenges were worth 20, 20, 15, 25 and 20 points and I need 80 out of 100 points to pass. Having said that...
The exam assignments are clear and complete, as is the list of requirements for your reporting. PDSO make it very clear how you will be scored and they give you every opportunity not to fail.
The team at PDSO are very responsive. Support for the training and exam are arranged via MatterMost and you will always find someone from the team online. If there's a technical issue, they will report on it very quickly and they will make good time in resolving the issues.
Having said that, I am surprised at the lack of community building on MatterMost. They have 2500+ students on there and the community chat is very quiet. And every time that someone does ask a question about course contents, they are immediately approached by someone from PDSO to tackle the question in DMs. There is no community building or involvement.
Then there's one final, big factor which I feel detracts from the professional value of the PDSO certifications: validation.
At no point before, during or after my exam was my identity verified. There is no proctoring, no session recording, nothing. My exam could have been done by anyone. I could have used any method of cheating and they would not know. My report could have been written by anyone.
This will automatically devalue the certification for prospective employers. Instead of relying on the certification body, the employer will need to apply their own bullshit detector to verify if the applicant actually has any API hacking experience.
Mind you, this is not unique to PDSO. APISec University have the same problem with their CASA exam which is unproctored, unvalidated and open book. I haven't taken APISec's ASCP yet, so I don't know if that's proctored.
...
About the CASP training itself? I liked it well enough and it did teach me quite a few new things. It's just that at a few points I really wish they'd gone more technically in-depth than they did. Don't get me wrong, they already go pretty deep on a lot of topics, but I wanted more. Case in point: I did two 6-8 hour deep dives on OAuth and on OAuth+OPA to really understand how a technical implementation in code would work.
It was time and money well spent!
kilala.nl tags: studies,
View or add comments (curr. 0)
2024-01-15 20:12:00
Almost a month ago, I did a deepdive on how OAuth really works, as part of my preparations for the PDSO CASP exam.
Well, it's time for another one! Because I really wanted to know how you would use OAuth in conjunction with OPA (open policy agent) to drive the access controls on your API and business logic.
I spent another six hours, watching videos and reading through sample code to put two-and-two together. Here's linkks to resources that really helped me.
kilala.nl tags: studies,
View or add comments (curr. 0)
2023-12-31 13:29:00
On Discord someone asked why it's so hard for vendors to "just" make practice exams that are just like the real thing? To them, it seemed like an obvious market gap! And to be honest, who wouldn't want a proper test run while prepping for Security+, LPIC1 or even CISSP?!
Now, I'm no expert, but here's what I told'm...
Most importantly it's because you absolutely have to blackbox the practice exam creation. There can never be any doubt whatsoever that you as vendor stole copyrighted materials or that you lifted questions and concepts from the official materials.
You have to have proof of your process and show that none of your personnel have ever taken the real exam. This means you have to hire a group of SMEs (subject matter experts) and have them create a testbank of 2000+ questions which cover all of the exam objectives for that one exam. But they're not allowed to look at official materials ever; possibly not even the objectives themselves.
And then you have to do that ten-or-so times, to cover all the exams. So basically at that point, you are making a brand new exam and you're competing with Linux Foundation, LPI, ISC2, CompTIA, etc.
It costs a huge amount of money.
Since we're in an IT forum I can safely point you towards this, which is strikingly comparable... Look into how Compaq reverse engineered the IBM PC BIOS, so they could make IBM PC compatible devices. Very similar.
For the exam questions, taking the Compaq analogy, it would mean that you need to have a team that creates a very precise set of requirements and design decisions. Theoretically they could look at what CompTIA and other vendors do.
Then you would need that second team of actual SMEs to write those hundreds or thousands of questions, based on the specifications written by the first team.
And then possibly, you could get exams which are very close to what CompTIA does.
kilala.nl tags: studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.