Certification Spotlight: Offensive Security’s OSCP

by Chris 25. November 2011 08:06
OSCP Certification Test

From time to time, MyCPEs.com will spotlight certifications, certifying bodies, or providers of great continuing education content across all professional industries. In this spotlight, we’re highlighting Offensive Security and their Offensive Security Certified Professional (OSCP) certification, which is based on their Penetration Testing Training with BackTrack course.

We chose Offensive Security for our inaugural Spotlight because of their unique approach to certification in a field that is extremely technical, constantly evolving, and a highly sought skill set within the IT security community – penetration testing.

In recent weeks, we’ve been initiating a lot of discussion at the MyCPEs.com blog and across our social networks about the true value of professional certifications – including their short comings and their overall benefit to various professional industries. The model used by Offensive Security to provide certification in the area of penetration testing can stifle many arguments of those that feel certifications have turned into a revenue stream for certifying bodies rather than a service to professional communities.

Many (if not most) certifying bodies use multiple choice tests to assess knowledge and substantiate proficiency in a certain professional discipline either by choice or because the expertise in the subject matter cannot easily be demonstrated (vice tested) by potential candidates. For example, it would be tough for the Project Management Institute to derive a mechanism to demonstrate proficiency for project management professionals in any manner other than a written test. The alternative might be to give candidates a project to manage, monitor their approach, evaluate the success of the project, and only then provide their PMP credential? That’s really not reasonable or feasible. However, in the world of penetration testing, this is exactly the approach that Offensive Security takes. They require their candidates to demonstrate proficiency in a lab rather than simply memorizing facts and regurgitating them on a written test.

I recently conducted a short, written interview with Mati Aharoni, Founder and Lead Trainer at Offensive Security, about Offensive Security’s model for certification. Mati wrote, “What we are testing is two-fold. First, the technical skills that you have obtained in the course of training. Second, we are testing your ability to think out of the box in a real world situation. Some of the systems the students encounter in the course of the exam are not covered directly in the course of training, however by using the skills that are covered in the training, they should be able to solve the problems. While some may consider this to be unfair, we believe this is extremely important to ensure that all certified personnel have proven they do far more than simply memorize and regurgitate information.”

Taking this approach really sets Offensive Security apart from their counterparts in the penetration testing certification arena. The OSCP credential substantiates real-world skill sets by requiring candidates to immerse themselves into a diverse environment where they are expected to craft custom exploits, seek out and identify security flaws, and ultimately exploit weaknesses within the environment in order to successfully navigate the certification process. Penetration Testing with BackTrack, the training the certification is based upon, simulates a full penetration test from beginning to end and provides each student with knowledge about necessary tools and testing/exploiting approaches required to compromise targets during the certification challenge.

I asked Mati about the pass/fail rates they typically see with the OSCP, and while their official policy is not to comment on these rates, he did offer some insight about the difficulty of the exam, “…We do experience that students are required to put significantly more effort than what they may be used to from other certification scenarios. Those that don't put out the effort often find they have to re-take the exam.”

When asked who the ideal candidate for the OSCP was, Mati wrote, “Our ideal candidate is someone that has a strong technical background that has experience in both Windows and Linux, with a solid understanding of network administration. Additionally, our courses require a strong commitment and the sort of personality that is determined and motivated to obtain a solid understanding of information security issues. It is worth mentioning that the current Penetration Testing with Backtrack course was originally named Offensive Security 101 as we felt it represented the foundational level of understanding that is required in the industry. However we found that students that had previously attended other training programs were unprepared for the level of effort that our course required. In the end we had to change the name to Penetration Testing with Backtrack in order to better set expectations.”

My summation? The OSCP is the real deal. The CTO and Lead Security Researcher at Proso , Nick Popovich, has had nothing but great things to say about his experience traversing the OSCP training and certification process. He notes that this particular certification is truly a difference-maker when it comes to pursuing penetration testing work in both the private and public sectors.

The OSCP has been offered by Offensive Security since 2006. On its merits, it has truly gained traction in the information security and penetration testing segments of the IT business. Largely, I assume, because of the value it brings to organizations that do in-house penetration testing or provide penetration testing services. Mati also pointed out that Offensive Security, “has students from various backgrounds outside of security that gain a lot from the courses. For instance, system administrators find that the understanding they gain in the course of the Penetration Testing With BackTrack gives them a deeper understanding of not just how to better secure their systems from attack but also stretches them and helps them be better system administrators overall. This is true as well for our Advanced Windows Exploitation course, as Windows programmers find they gain a better understanding on the sorts of common mistakes that are made in programs that allow exploitation to occur.”

The approach used by Offensive Security is one that garners a lot of respect in the information security arena. It's a shame that all certifications cannot be provided based upon performance and demonstration of mastery of a particular discipline, but because of the nature of many disciplines, this approach to certification is simply not an option and multiple choice tests must prevail. I wonder why all certifications that could be validated by demonstration are not, and why the multiple choice test is the preferred method for credentials that could be confirmed in more meaningful ways.

MyCPEs.com is a free online tool built to help certified professionals manage and track their continuing education. Sign up for a free account now.

Tags: , , , , , , ,

Discussion | News | Opinion | Spotlight | Technology

Comments (4) -

Nick Popovich
Nick Popovich United States
11/25/2011 10:01:20 AM #

Also, I think it's worth pointing out to those who are multiple credential holders that the OSCP course I took counted for 40 CPE's for ISC(2).  So, not only can you engage in some excellent hands on training, you can gain valuable CPE's for maintaining your current industry certifications.

I do feel that the OSCP is a must for anyone in the security realm, especially those interested in the highly technical aspects of IT security.  However, those of us that work in Infosec are almost required to have certain credentials to "make it" in this field (especially if you want to be hired by many companies).  I think some of the security certifications out there that are not as intense as the OSCP do have their value, namely: they can introduce people to the IT security concepts and theory that is relevant to this line of work.  Should industry certification holders be put on a pedestal?  By no means.  Does simply holding a certification from a major certifying body make you a good security practitioner?  No.  But, continuing education is a must in this field, and there are many different delivery methods and certifying bodies.  A healthy mix, I think, is good.  It can give you depth and exposure to a lot of different areas of IT security.  And, frankly in some cases you won't get your resume reviewed or you'll get passed over for work if you don't have some "expected" certifications.

Finally, the amount of effort I put into, and the value that I took away from the whole experience with the Offsec training makes the OSCP a cert that I am truly proud to have obtained.  I look forward to taking more training from them (and tracking my CPE's from said training on mycpes.com)!


Stephen Sims
Stephen Sims United States
11/26/2011 11:25:07 PM #

You get 46 CPE's for my course. Smile Just stirring the pot.

Steve Sims, GSE, MSIA


Nick France
8/13/2012 4:34:21 PM #

.46 CPEs ... but you pay about 4times the price of the Offsec training..


Bilal Algeria
12/19/2012 11:14:13 AM #



Add comment

  • Comment
  • Preview


<<  July 2016  >>

View posts in large calendar

Page List


Comment RSS