October 18, 2013 1:58 PM
Posted by: Ed Tittel
For yet another sign that Web-based applications are growing in importance and use, the SANS Global Information Assurance Certification (GIAC) program has added a new credential to its line-up. The GIAC Web Application Penetration Tester, or GWAPT, seeks to train security professionals to analyze and evaluate the security risks that Web applications may pose within organizations, and to help those organizations take the steps necessary to mitigate and address them.
The GWAPT is among a handful of certs oriented toward improving security for web-based applications.
Like most GIAC credentials, earning the GWAPT means passing a single exam (75 questions, 2 hours, 70% cut score). The credentials stated objective is to help organizations find and close “web app holes” which
“…have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certifications measures an individual’s understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.” [Italics mine, for emphasis.]
Other certifications in and around this rapidly growing area include:
- GIAC Certified Web Application Defender (GWEB): aims at the development side of web security, but also embraces security analysts, auditors, penetration testers, and other security professionals in its coverage
- (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) advertises itself primarily as a “Web Application Security Certification” and covers the entire development and maintenance lifecycle for software of all kinds.
- Offensive Security Web Expert (OSWE) bills itself as “an entirely hands-on web application penetration testing security certification” that includes both pen testing and code audit coverage, in the context of a 24-hour examination wherein candidates must successfully audit and penetrate specific targets
- Certified Application Security Tester (CAST), a relatively little-known credential from a multi-national infosec, forensics and training company PA Group Company named 7Safe, billed itself as an “ultimate advanced level application security testing certification” and a “web application testing certification.” This is a capstone to the same company’s “foundation level” Certified Security Testing Professional (CSTP) credential, also described as a “web application penetration testing certification.”
- The Institute of Information Security offers the Certified Web Application Security Professional (CWASP) credential, which covers the basics of application security, security enforcement for weg apps, basics of threat modeling and profiling, and more, from the organization that created the highly-regarded Open Web Application Security Project (OWASP)
- Mile2 offers the Certified Secure Web Application Engineer (CSWAE) credential, designed to help candidates master the skills, knowledge, and tools “needed to identify and defend against secuirty vulnerabilities in software applications” including significant hands-on lab content in its training, and a live hacking exercise during the cert exam
- The Information Assurance Certification Review Board (IACRB) offers a Certified Application Security Specialist (CASS) credential that includes significant coverage of web-based applications in its general application security curriculum that focuses on audit and testing of source code, and tried-and-true analysis and penetration testing techniques, along with extensive knowledge of the threat landscape, past, present, and emerging
- Even CompTIA’s Mobile App Security+ puts most of its emphasis on network communications and backend web services, while focusing front-end efforts on Android or iOS for mobile applications security coverage
With at least nine such credentials to choose from, and perhaps more I have yet to uncover, one thing’s for sure: there’s no shortage of options from which to choose. My own inclinations are to put items from GIAC, (ISC)2, and the CWASP (because of its association with the OWASP project) at the top of this list, though all of the purveyors seem to be covering the subject matter with appropriate depth and seriousness. If you know of other items I have missed, please comment here or send me an e-mail (visit edtittel.com for a contact link) and let me know. TIA!
October 16, 2013 1:50 PM
Posted by: Ed Tittel
In visiting the Born to Learn blog this morning on the never-ending search for blog fodder, I was reminded that certain tried-and-true certification exam preparation routines — or what I refer to as “the Drill” in this blog’s title — remain as relevant today as they were when I myself first ventured into IT certification back in the mid-1990s nearly two decades ago. The post under discussion is entitled “Passed 410! My experience,” and is comes from Shaun Tompkins, a full-time network administrator from the London metropolitan area in the UK.
With tongue in cheek, I provide an image of an old-fashioned hand drill to stand for a tried-and-true sequence of cert exam preparation maneuvers.
[Image Credit: Shutterstock 100673161]
There are three interesting things about Mr. Tompkins blog post that made it well worth the reading. First, he jumped on the exam date because he was running out of time to exercise his Second Shot option (a not unheard-of experience for many of us, including me). And second, even though he expected to fail the exam, he ended up passing, apparently because his partial preparation was enough to permit him to squeak out a passing score. Third, he recites a nice but incomplete rendition of “the old, familiar drill” in preparing for cert exam, upon which I’d like to expand just a little.
The elements of his preparation for the Microsoft 70-410 exam (“Installing and Configuring Windows Server 2012,” the first of the 70-410, 411, and 412 trio required to earn the MCSA: Windows Server 2012, and a pre-requisite for MCSE: Server Infrastructure, MCSE: Desktop Infrastructure, and MCSE: Private Cloud included the MS Press 70-410 Exam Ref book, a set of MeasureUp practice exams, some TrainSignal training videos, and a set of hands-on activities that included downloading and installing Windows Server 2012, and working with virtual machines on Hyper-V server and in the Hyper-V role for Windows Server 2012.
His plans for preparing for the next exam in the sequence — namely, 70-411 — are equally interesting: to revisit areas of weakness encountered on the 410 exam, to read through the 70-411 Exam Ref, to use exam objectives and the Born to Learn wiki to establish study points and areas of focus, work through more TrainSignal videos and MeasureUp practice tests. He goes on to observe further that “supplementing the book with the videos gives me confidence, and practice exams are always a good study supplement.”
This ends up being a fair partial description of what I’ve long perceived as the old, familiar drill in prepping for cert exams, which I’ll lay out in the form of a bulleted list that includes pointers for cycling back as required to earlier elements in the list:
- Download and review exam objectives to identify areas of familiarity, areas where additional study is needed, and entirely new areas where unfamiliar subjects must be learned and then mastered
- Survey the learning and training materials available to you — these can include classroom, online or video training, full-length books (Study Guides), focused exam prep books (Exam Crams), practice tests, flash cards, simulators or virtualized runtime environments for practice, and more — to help you assemble the learning, study, and practice tools you need for exam preparation
- Take a first practice test to identify areas of ignorance (no knowledge) or weakness (some knowledge, but not enough to get past all related questions)
- Start your reading and study by working systematically through a Study Guide (a detailed, full-length book on the exam) to get a sense of the exam’s complete scope and coverage (skim areas where you’re already familiar and comfortable, dig in depth into new areas or areas of weakness)
- Take another practice test to gauge learning and to identify areas for more in-depth study
- Return to the Study Guide and dig deeply and fully into areas where learning is required, whether for new topics or areas of weakness. Be sure to complete all hands-on exercises, and to bounce between the runtime version of things on a system or network and the discussion of things in the books, videos, and other training materials at your disposal.
- Cycle around the preceding two steps until your practice test score beats the required passing score by 5-10 percent (this gives you a margin you may need when test anxiety in the testing center causes an almost-inevitable decrease in exam performance when taking “the real thing”). As you have questions and concerns, you can turn to additional training materials as you may find your need them, and to online communities (like the Born to Learn forums, the many Windows forums online, social.Microsoft.com, the TechNet forums, and other active user-driven areas where technical topics relevant to certification are constantly under discussion).
- As soon as you reach your goal, schedule your exam as soon thereafter as possible
- Take the exam
- Pass or fail, after the exam is over, sit down and record your impressions, especially as they relate to questions you didn’t understand, found surprising, or that introduced topics, tools, or techniques with which you didn’t feel entirely comfortable. If you need a retake this will help guide your preparation for the next try; if you passed, it will identify areas you need to attend to for subsequent exams or on-the-job deployment of your skills and knowledge
And that, my friends, is the veritable “old, familiar drill” for preparing for a certification exam. If you put it to work for yourself, carefully and systematically, it will ultimately lead you to a passing score, and likewise to earning those certs you seek!
October 14, 2013 3:17 PM
Posted by: Ed Tittel
As I noodled about for today’s blog topic, I found myself digging into the Website of the European e-Skills Association, thanks to a report on the Linux Professional Institute’s announcement that it had joined the organization earlier this year that appeared in the latest GoCertify.com Certification Watch newsletter (Vol 16 #8). It seems that this international not-for-profit organization, formed under Belgian law in June 2007, and usually abbreviated as EeSA, has morphed itself into “a broad stakeholder organization that is committed to e-Skills in Europe, and to working with other major stakeholders in the drive towards growth, innovation, and promoting skills in Europe.” Their vision might be best summed up as promoting and boosting e-skills that include digital literacy, in the belief that doing so will enable European success at both individual and business levels “to foster creativity, promote education, increase potential, drive growth, and take advantage of career opportunities in all sectors across the region.” To me, this smacks rather nicely of the European equivalent of what we here in the USA often refer to as “Motherhood and apple pie,” universal nostrums for feeling good and achieving success.
Another European initiative? You bet, and this one aims to promote digital literacy and general computing skills and knowledge.
At this point, I sincerely hope you’re wondering “What does all this have to do with IT certification?” The key to understanding the outlines for an answer to this question — though details on how all this will play out are still somewhat murky — comes from the EeSA’s mission statement, which reads in part as follows:
Through its members, EeSA promotes the exchange of ideas, awareness raising and good practices at EU and Member State levels; it supports the development of tools and methodologies for the governance of e-skills; and it leads the implementation of concrete e-skills activities in cooperation with other stakeholders. [Source]
The recent LPI press release on their joining the organization sheds more light on what’s up than I could find addressed directly on the EeSA website, starting with that 10/10/2013 document’s title “Update on European e-Skills: ‘Quality labels’ for IT certification.” A recitation of key members of the organization adds some well-known names, including Cisco, CompTIA, EXIN, HP, LPI, Microsoft, and Oracle to the mix, along with the Council of European Professional Informatics Societies (CEPIS) and the European CIO Association. And in fact, LPI has worked with EeSA on IT skill standards to help define a pan-European e-Competence Framework (e-CF) and a so-called “e-skills Quality Labels” program. The idea here is to provide more information to help guide those preparing to enter the IT workforce, or to advance an IT career, “to make informed choices around education, training and certification.”
The recent report in which LPI was involved, entitled “ICT Certification in Europe: Part 2: ICT Certification in Action,” recognized a total of 74 popular industry certification credentials as “accepted and approved” according to the criteria developed as part of the eSkills Landscape Service, which itself includes 50 training and certification programs from the likes of Microsoft, Certiport, CompTIA, EXIN/ITIL, Oracle, Novell/Suse, LPI, Citrix, Red Hat, Cisco, PMI, and others, and a total of 74 individual certification credentials.
The aim of the overall effort is to help practicing and prospective IT professionals with an online self-assessment tool and web portal so they can “distinguish high-quality certifications from those of questionable value” (a dilemma that I can definitely relate to, and that I address regularly in examining and evaluating new certification programs and credentials that pop up with great frequency nowadays). This is an effort worth watching, and checking into periodically, especially as the range of programs and offerings expands to cover more of the overall IT landscape. I’ll also be very interested to see a detailed list of all the certs (a total of 22 from Microsoft, and 13 from CompTIA, for example) that made this grade, along with more information on the criteria used to achieve the “accepted and approved” status to which no doubt all IT certs would like to aspire.
October 11, 2013 2:44 PM
Posted by: Ed Tittel
Thanks to a posting at Born to Learn yesterday, we now know that several Windows Store Apps exams will get an update in the wake of the upcoming release of Windows 8.1 next week, along with the forthcoming update to Visual Studio for 2013. Larry Kaye posted the following list of affected exams yesterday in a piece entitled “Exam/Certification Update 2: MCSD: Windows Store Apps“:
Heading from recent BTL post notifying candidates of upcoming changes to
MCSE: Windows Store Apps.
In addition, MS has already posted “details on the exam updates” in a series of PDF download files linked on each of the preceding Web pages. These take the form of a set of Exam objectives, where the left-hand column is labeled “Tasks currently measured” and the right-hand column “Tasks to be added/changed in November 2013.” This makes it very easy for exam candidates to get information about what’s new and changed in these exams, and represents a welcome collection of information from Microsoft Learning to help ease the transition to the new exam content and coverage. A hasty scan of these PDF documents shows that about half of the individual tasks are subjected to adds and changes, so that those who’ve already started preparation under the old regime don’t seem to face a huge amount of work to sit for the newer exams instead. If any of these exams are in YOUR future, you’ll want to check out the blog post, and the exam page additions, at your earliest convenience: November is not really that far away!
October 9, 2013 1:39 PM
Posted by: Ed Tittel
A recent blurb in GoCertify’s Certification Watch (Vol 16 #7) clued us into an interesting side effect of the recent government shutdown, now into its second week. The item is entitled “Your Government Is Not Available,” and discloses that Pearson VUE — one of two major global IT (and other) cert testing organizations — operates authorized testing centers on numerous US Military bases and at other government-run locations.
Here’s a special notice to which government IT pros with immanent cert exam plans may want to attend.
A “Special Notice” on the Pearson VUE homepage currently reads:
A US Government shutdown could result in the closure of certain Pearson VUE Authorized Test Centers located on US military or government sites as well as affect other test appointments of Service Members and federal employees.
In an attached Special Notice, Pearson VUE reports that it continues to monitor the situation closely and will contact any appointment holders who may be affected by this aspect of the shutdown to help them reschedule exam appointments or locations. It also indicates that potentially affected test candidates can contact their testing centers to make alternate arrangements but also points out that those unable to reach such test centers — themselves likely to be inoperative thanks to the same shutdown — can contact any Person VUE customer call center instead.
Whoda thunk it? Government shutdown stymies IT certification plans for military personnel and government contractors? Just goes to show you that the definition of “essential personnel” can’t always be stretched far enough to cover what IT professionals are bound to think of as both essential and important, no matter what Congress and/or the Executive Branch may dictate!
October 7, 2013 1:33 PM
Posted by: Ed Tittel
As of last Friday, Microsoft now offers a very nice discount — it amounts to a “buy 2, get one more free” — on exams for three different MCSEs that focus on Windows Server 2012 (which will soon mean Windows Server 2012 R2, when that new version hits its GA date on October 17/18). Thus, the following MCSEs and related exams are covered:
If you qualify for the 70-417 Upgrade exam, you can now buy into one of these MCSEs for $300 (the price of two MS cert exams).
1. MCSE: Server Infrastructure — Exams 70-413, -414, and -417 (the upgrade exam itself)
2. MCSE: Desktop Infrastructure — Exams 70-415, -416, and -417 (the upgrade exam again)
3. MCSE: Private Cloud — Exams 70-246, -247, and -417 (the upgrade exam one more time)
The obvious connection among the three credentials is the 70-417 exam whose title provides further clues as to the nature of this offer: “Upgrading Your skills to MCSA Windows Server 2012.” That is, only those prior MS cert holders who are eligible to take the 70-417 exam are also eligible for this deal. To spell things out completely, that means only those who already hold one or more of the following credentials can take advantage of this admittedly tasty offer:
- MCSA: Windows Server 2008
- MCITP: Virtualization Administrator
- MCITP: Enterprise Messaging Administrator
- MCITP: Lync Server Administrator
- MCITP: SharePoint Administrator
- MCITP: Enterprise Desktop Administrator
Exercising the discount offer requires signing up for an “upgrade pack,” for which the purchase period expires on May 14, 2014. Those who buy into the deal then have until the end of 2014 (December 31, 2014 to be exact) to finish using all the exam vouchers and free retakes (each exam in the upgrade pack qualifies for Second Shot treatment, which makes a very good deal even better, if you ask me).
October 4, 2013 2:33 PM
Posted by: Ed Tittel
In a story entitled “8 hot IT skills for 2014” dated September 23, ComputerWorld reports on areas of “zero unemployment” within the general field of IT (whose latest 6.6 percent unemployment rate as of August 2013 already beats the overall unemployment rate of 7.3 percent for that same month). Here’s their list of items, straight from the source, listed in rank order based on the publication’s recently completed 2014 Forecast survey, which also indicates that about one-third of responding organizations plan to increase IT headcount, with about half that amount (14%) expecting to decrease, and the remainder (54%) expecting to maintain headcount status quo:
For those who know where to look, IT opportunities abound.
[Image credit: Shutterstock 43362081]
1. Programming/application development
(with a reported 1.8% unemployment rate according to the US Bureau of Labor Statistics) where the biggest demand is for mobile development skills, and experience in building secure applications.
2. Help desk/technical support
, which may be a nice indicator of overall economic improvement because “Organizations mainly add help desk and tech support when they’re adding workers and expanding their technology infrastructure,” according to Scott Melland, CEO of Dice Holdings (parent company of Dice.com).
took a big jump from 8th place in 2012 to 3rd this year, thanks in large part to increasing demand for IT pros who possess skills and knowledge in wireless networking, and also, no doubt, to help staff the ever-increasing number of data centers for cloud-based services, big data analysis, and so forth.
4. Mobile applications and device management
takes a great leap forward (9th place in 2012, to 4th place this year) because of the onslaught of BYOD and mobile-based information access in a preponderance of businesses and organizations everywhere.
5. Project Management
may have slid from second to fifth place this year, but that doesn’t mean it’s not still white-hot in the IT community (Dice’s Melland places it second only to mobile developers in his estimation of where the IT job action is at present).
6. Database Administration
makes its way into the rankings from out of nowhere, thanks in large part to the zooming interest in and use of “Big Data” in organizations and businesses of all stripes. DBMS skills and knowledge have always been important, but now they are starting to gather some serious interest and financial value on the IT job market, too.
7. Security Compliance/Governance
: Security has been important for the past decade or more, but understanding of security requirements, processes, and business import is gaining value and momentum, thanks to increasing adoption of governance and compliance regimes such as ITIL and COBIT, along with a growing set of government mandates to require attention to such things.8. Business Intelligence/Analytics
: ongoing emphasis on “Big Data” and data mining ensure continued interest in and added-value for this burgeoning field (its fall from 5th place last year to 8th place this year simply shows that as IT job opportunities expand, it must make way for other, even hotter specialties).
In nearly every one of these areas you can find IT certifications that will help you stake out a presence. Check out my various “Top 5 Certification” and other stories for Tom’s IT Pro that relate to 7 of 8 of these topical specialties:
October 2, 2013 2:23 PM
Posted by: Ed Tittel
CompTIA’s follow-on credential to its Cloud Essentials certification — known as Cloud+ — is now up and running, with exams available from Pearson VUE, and prep materials available or announced via Amazon and other online e-tailers. CompTIA’s press release on this launch appeared yesterday (10/1/2013) to proclaim “CompTIA Cloud+ Certification Now Available Worldwide,” as its title baldly states.
CompTIA Cloud+ now available worldwide.
Recommended background for the new credential includes either or both of CompTIA’s Network+ and Storage+ (Powered by SNIA) credentials, along with at least 24-36 months of IT experience on the job with networking, storage, or data center administration. In an interesting malapropism the press release states that candidates “should be familiar with major hypervision technologies for virtualization…” (when of course they meant “hypervisor” though I can’t help wondering what kind of eyewear I’d have to don to obtain the necessary degree of visual actuity! ).
A quick Amazon search on “CompTIA Cloud+” currently turns up three items, only one of which is actually relevant to the Cloud+ credential (the other two are for Cloud Essentials) — namely: CompTIA Cloud+ Study Guide (Exam CV0-001), Certification Press/McGraw-Hill, by Nate Stammer and Scott Wilson (9/24/2013). I’m guessing that we’ll see more materials showing up in the next 90 days or so, particularly from some of the other major cert press players, including Pearson, Wiley/Sybex, and possibly also Syngress/Elsevier. Given how hot the subject matter is at the moment, and growing demand for cloud-qualified IT professionals, publishers, online courseware developers, and practice test providers will no doubt be falling all over themselves, and each other, to get some suitable products out the door. But if you want to get going right away, there’s at least one avenue for self-study already available.
September 27, 2013 1:35 PM
Posted by: Ed Tittel
Every now and then, a promotional offer related to careers and certification comes through my inbox that’s good enough to share with this blog’s readership. I’m happy to inform you folks that Barnes and Noble has a sale on careers and certification books up and running through the middle of October. There are 229 titles covered in this offer, which includes discounts of up to 45 percent off the publisher’s list prices. Be sure to check it out, if you’re in the market for any certification prep materials, including Cisco Press materials, All-in-Ones (Osborne/McGraw-Hill), Exam Crams (Pearson), Complete Study Guides (Sybex/Wiley), VMware Press, and a whole bunch more.
A great mix of cert prep titles from all parts of the landscape on sale thru mid-Oct at B&N!
You’ll find all the major CompTIA credentials represented, along with a good mix of Cisco, Microsoft, and VMware coverage as well. Plenty of information security items, too, mostly centered around big-name certs like CISSP, SANS GSEC, and Security+. And of course, popular credentials like the PMP, various Linux items, a handful of Oracle elements, and some cloud stuff also show up in amidst the 8 pages of titles included in the offer. Again: if you’re in the market for a cert prep book (or e-book) bargain, be sure to check the sale pages out on the B&N site.