October 28, 2013 8:40 PM
Posted by: Ed Tittel
This weekend my family took a trip to the DC area to celebrate my Dad’s 90th birthday. We were about two weeks behind his actual nativity, because I’d run into some work-related conflicts. But, better late than not at all, we took a long weekend in northern Virginia and nearby environs to spend time with family, catch up on old times and new, and see some genuine fall foliage on bright and showy display (not something we get too much of down here in central Texas). On Sunday morning, 7 of us piled into my sister’s van to go watch her son compete at a nearby gymnastics meet in Gaithersburg, MD, and also to enjoy a day of gadding about together as a family.
While at the meet I ran into a recent retired Navy veteran who had just completed his 30 years in the service, and moved back to the DC area from Hawaii to re-establish connections with his wife’s family, and to find himself a job in the teeming Washington DC metro area. He’d worked for a decade or more in information warfare roles, so I expected to hear that his job hunt turned into a quick and painless slam dunk. Given his various combat tours, high-level security clearances, and strong, relevant InfoSec experience on the job, I figured he would have his choice of plumb assignments from a nearly limitless list of opportunities with the countless Beltway bandits, consulting companies, and security specialist firms that make themselves at home near the seat of the US government and its intelligence community.
“Not so!” said he. Having entered the service at age 20, and never having completed a college degree or earned a timely or topical InfoSec certification – CISSP was the first target out of his mouth when I allowed as how I knew a little bit about IT certification in general, and InfoSec credentials in particular — he indicated that earning certification was high on his priority list. In fact, he wanted to sign up for a boot camp course on CISSP (a one to two week long intensive training class on CISSP concepts, terminology, and subject matter) but was afraid that with several potential job offers in the offing he’d find himself in a situation of having to demur from a “can you start tomorrow” kind of offer because of making a prior commitment to a bootcamp class.
At the time, I didn’t really have the opportunity to pause and reflect on his situation (we were all watching family members compete on the floor of the gymnasium, each with our own favorites to cheer for), so I didn’t chime in with advice or suggestions. Now that I’ve had time to do that, I have to say that any hiring organization would probably be more pleased than otherwise to hear that somebody they wished to hire for a specific job role related to information security was undertaking a bootcamp on a hot, relevant certification at his own expense on his own time. I can’t be 100% that my intuition is correct, but my intuition does tell me that most such organization would be inclined to say “Fine, we’ll set your start date right after you finish the class, and pass the exam.” How could they not, since they’re getting an employee who’s been made more valuable by taking the time and expending the effort to obtain a high-demand certification between the time of an interview and background check and the extension of a job offer?
This leads me directly to the point of today’s blog as well, as expressed in its title. If you want to get ahead, or develop your career potential and prospects, you have to put in some time and effort, and probably even spend a little of your own hard-earned cash, to help push yourself up to the next level of career attainment and capability. Don’t put off or push back what you can do sooner, even if it means having to delay important stuff — and certainly finding a job is about as important as it gets for a family man living in an expensive part of the country with a family to support, a house to buy, and a civilian career to get underway. Just don’t let any of this stop you from doing what you must to boost your credibility or capability in your chosen field of work. If you do, you’ll end up losing more than you gain in the long run.
October 23, 2013 2:10 PM
Posted by: Ed Tittel
Normally, the US Bureau of Labor Statistics posts its monthly employment figures on the first Friday of the month, and occasionally a week later when the beginning of the month falls on or near a Friday. This month, thanks to the US Government shut-down, it’s been more seriously delayed. I’d been checking into the US BLS website on an on-and-off basis, but I found out yesterday that the September employment situation summary was available when commentators started to discuss its contents on a newscast around mid-day yesterday as I was driving in my car.
Another month of modest employment gains shows we’re still in slow growth mode, employment-wise.
Here’s the skinny: employment continues to edge up slightly month-over-month, with a modest increase of only 148,000 jobs for September, 2013. Even so, employment edged down from 7.3 percent in August to 7.2 percent in September (Whoopee!). According to Table A-14, the information sector shows a nice improvement, down from 7.3 percent in September 2012 to 6.6 percent the same time this year (and from 205,000 unemployed to 189,000 unemployed in the sector in those same months). Revisions to earlier months show both losses and gains: the July numbers went down from 104,000 to 89,000, while those for August went up from 169,000 to 193,000, for a net gain of 9,000 over previously reported numbers.
I’m still not seeing any huge rays of hope for the 11.2 million Americans still counted as officially unemployed. Along with another 2-3 million discouraged workers who’ve more or less withdrawn from the workforce, they’re not likely to take much heart from such anemic growth numbers. At 150,000 – 200,000 new jobs per month, we can just about keep up with new entrants to the workforce, which means that whole backlog is likely to experience little or no relief for the foreseeable future. We really need job growth numbers of 300,000 or higher per month to start soaking up this vast reserve of unemployed workers. Keep your fingers crossed. Until a miracle happens, the old, familiar “Hunker down” mentality is likely to persist, among employers and employees alike.
October 21, 2013 2:46 PM
Posted by: Ed Tittel
Last week, the latest CompTIA certification went live, as the Mobile App Security+ exam became available on October 15. This credential seeks to address the need to develop, test, and deliver native iOS or Android applications (the test comes in two flavors, one for each of these market-leading mobile device runtime environments) that are designed and built for security, including also secure network communications and back-end web services in the overall security frame.
As of last week, Mobile App Security+ is up and running.
There’s a strong industry movement afoot at the moment to boost security, not just for mobile applications in particular, but also for the ever-increasing number of web-based applications in everyday use. This applies to a large number of cloud-based applications (and is the typical foundation for Software-as-a-Service, or SaaS, offerings) but also to an even more sizeable population of custom code developed in businesses and organizations of all sizes and scales.
I alluded to this overall phenomenon in my Friday blog post right here, entitled “SANS Adds Web App Pen Test Cert to Line-Up,” which makes mention of 9 IT certifications from numerous organizations, all of which seek to boost security for Web-based applications, mobile and otherwise. I’d be very surprised if we don’t see more such certifications popping up on the security landscape, both with mobile and more general application orientations. Why? Because that’s where the real traction in application development, delivery, and deployment is nowadays, and thus also, where the biggest security risks lie (not to mention the added risks inherent to a highly distributed and Internet-based information architecture).
October 18, 2013 1:58 PM
Posted by: Ed Tittel
For yet another sign that Web-based applications are growing in importance and use, the SANS Global Information Assurance Certification (GIAC) program has added a new credential to its line-up. The GIAC Web Application Penetration Tester, or GWAPT, seeks to train security professionals to analyze and evaluate the security risks that Web applications may pose within organizations, and to help those organizations take the steps necessary to mitigate and address them.
The GWAPT is among a handful of certs oriented toward improving security for web-based applications.
Like most GIAC credentials, earning the GWAPT means passing a single exam (75 questions, 2 hours, 70% cut score). The credentials stated objective is to help organizations find and close “web app holes” which
“…have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certifications measures an individual’s understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.” [Italics mine, for emphasis.]
Other certifications in and around this rapidly growing area include:
- GIAC Certified Web Application Defender (GWEB): aims at the development side of web security, but also embraces security analysts, auditors, penetration testers, and other security professionals in its coverage
- (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) advertises itself primarily as a “Web Application Security Certification” and covers the entire development and maintenance lifecycle for software of all kinds.
- Offensive Security Web Expert (OSWE) bills itself as “an entirely hands-on web application penetration testing security certification” that includes both pen testing and code audit coverage, in the context of a 24-hour examination wherein candidates must successfully audit and penetrate specific targets
- Certified Application Security Tester (CAST), a relatively little-known credential from a multi-national infosec, forensics and training company PA Group Company named 7Safe, billed itself as an “ultimate advanced level application security testing certification” and a “web application testing certification.” This is a capstone to the same company’s “foundation level” Certified Security Testing Professional (CSTP) credential, also described as a “web application penetration testing certification.”
- The Institute of Information Security offers the Certified Web Application Security Professional (CWASP) credential, which covers the basics of application security, security enforcement for weg apps, basics of threat modeling and profiling, and more, from the organization that created the highly-regarded Open Web Application Security Project (OWASP)
- Mile2 offers the Certified Secure Web Application Engineer (CSWAE) credential, designed to help candidates master the skills, knowledge, and tools “needed to identify and defend against secuirty vulnerabilities in software applications” including significant hands-on lab content in its training, and a live hacking exercise during the cert exam
- The Information Assurance Certification Review Board (IACRB) offers a Certified Application Security Specialist (CASS) credential that includes significant coverage of web-based applications in its general application security curriculum that focuses on audit and testing of source code, and tried-and-true analysis and penetration testing techniques, along with extensive knowledge of the threat landscape, past, present, and emerging
- Even CompTIA’s Mobile App Security+ puts most of its emphasis on network communications and backend web services, while focusing front-end efforts on Android or iOS for mobile applications security coverage
With at least nine such credentials to choose from, and perhaps more I have yet to uncover, one thing’s for sure: there’s no shortage of options from which to choose. My own inclinations are to put items from GIAC, (ISC)2, and the CWASP (because of its association with the OWASP project) at the top of this list, though all of the purveyors seem to be covering the subject matter with appropriate depth and seriousness. If you know of other items I have missed, please comment here or send me an e-mail (visit edtittel.com for a contact link) and let me know. TIA!
October 16, 2013 1:50 PM
Posted by: Ed Tittel
In visiting the Born to Learn blog this morning on the never-ending search for blog fodder, I was reminded that certain tried-and-true certification exam preparation routines — or what I refer to as “the Drill” in this blog’s title — remain as relevant today as they were when I myself first ventured into IT certification back in the mid-1990s nearly two decades ago. The post under discussion is entitled “Passed 410! My experience,” and is comes from Shaun Tompkins, a full-time network administrator from the London metropolitan area in the UK.
With tongue in cheek, I provide an image of an old-fashioned hand drill to stand for a tried-and-true sequence of cert exam preparation maneuvers.
[Image Credit: Shutterstock 100673161]
There are three interesting things about Mr. Tompkins blog post that made it well worth the reading. First, he jumped on the exam date because he was running out of time to exercise his Second Shot option (a not unheard-of experience for many of us, including me). And second, even though he expected to fail the exam, he ended up passing, apparently because his partial preparation was enough to permit him to squeak out a passing score. Third, he recites a nice but incomplete rendition of “the old, familiar drill” in preparing for cert exam, upon which I’d like to expand just a little.
The elements of his preparation for the Microsoft 70-410 exam (“Installing and Configuring Windows Server 2012,” the first of the 70-410, 411, and 412 trio required to earn the MCSA: Windows Server 2012, and a pre-requisite for MCSE: Server Infrastructure, MCSE: Desktop Infrastructure, and MCSE: Private Cloud included the MS Press 70-410 Exam Ref book, a set of MeasureUp practice exams, some TrainSignal training videos, and a set of hands-on activities that included downloading and installing Windows Server 2012, and working with virtual machines on Hyper-V server and in the Hyper-V role for Windows Server 2012.
His plans for preparing for the next exam in the sequence — namely, 70-411 — are equally interesting: to revisit areas of weakness encountered on the 410 exam, to read through the 70-411 Exam Ref, to use exam objectives and the Born to Learn wiki to establish study points and areas of focus, work through more TrainSignal videos and MeasureUp practice tests. He goes on to observe further that “supplementing the book with the videos gives me confidence, and practice exams are always a good study supplement.”
This ends up being a fair partial description of what I’ve long perceived as the old, familiar drill in prepping for cert exams, which I’ll lay out in the form of a bulleted list that includes pointers for cycling back as required to earlier elements in the list:
- Download and review exam objectives to identify areas of familiarity, areas where additional study is needed, and entirely new areas where unfamiliar subjects must be learned and then mastered
- Survey the learning and training materials available to you — these can include classroom, online or video training, full-length books (Study Guides), focused exam prep books (Exam Crams), practice tests, flash cards, simulators or virtualized runtime environments for practice, and more — to help you assemble the learning, study, and practice tools you need for exam preparation
- Take a first practice test to identify areas of ignorance (no knowledge) or weakness (some knowledge, but not enough to get past all related questions)
- Start your reading and study by working systematically through a Study Guide (a detailed, full-length book on the exam) to get a sense of the exam’s complete scope and coverage (skim areas where you’re already familiar and comfortable, dig in depth into new areas or areas of weakness)
- Take another practice test to gauge learning and to identify areas for more in-depth study
- Return to the Study Guide and dig deeply and fully into areas where learning is required, whether for new topics or areas of weakness. Be sure to complete all hands-on exercises, and to bounce between the runtime version of things on a system or network and the discussion of things in the books, videos, and other training materials at your disposal.
- Cycle around the preceding two steps until your practice test score beats the required passing score by 5-10 percent (this gives you a margin you may need when test anxiety in the testing center causes an almost-inevitable decrease in exam performance when taking “the real thing”). As you have questions and concerns, you can turn to additional training materials as you may find your need them, and to online communities (like the Born to Learn forums, the many Windows forums online, social.Microsoft.com, the TechNet forums, and other active user-driven areas where technical topics relevant to certification are constantly under discussion).
- As soon as you reach your goal, schedule your exam as soon thereafter as possible
- Take the exam
- Pass or fail, after the exam is over, sit down and record your impressions, especially as they relate to questions you didn’t understand, found surprising, or that introduced topics, tools, or techniques with which you didn’t feel entirely comfortable. If you need a retake this will help guide your preparation for the next try; if you passed, it will identify areas you need to attend to for subsequent exams or on-the-job deployment of your skills and knowledge
And that, my friends, is the veritable “old, familiar drill” for preparing for a certification exam. If you put it to work for yourself, carefully and systematically, it will ultimately lead you to a passing score, and likewise to earning those certs you seek!
October 14, 2013 3:17 PM
Posted by: Ed Tittel
As I noodled about for today’s blog topic, I found myself digging into the Website of the European e-Skills Association, thanks to a report on the Linux Professional Institute’s announcement that it had joined the organization earlier this year that appeared in the latest GoCertify.com Certification Watch newsletter (Vol 16 #8). It seems that this international not-for-profit organization, formed under Belgian law in June 2007, and usually abbreviated as EeSA, has morphed itself into “a broad stakeholder organization that is committed to e-Skills in Europe, and to working with other major stakeholders in the drive towards growth, innovation, and promoting skills in Europe.” Their vision might be best summed up as promoting and boosting e-skills that include digital literacy, in the belief that doing so will enable European success at both individual and business levels “to foster creativity, promote education, increase potential, drive growth, and take advantage of career opportunities in all sectors across the region.” To me, this smacks rather nicely of the European equivalent of what we here in the USA often refer to as “Motherhood and apple pie,” universal nostrums for feeling good and achieving success.
Another European initiative? You bet, and this one aims to promote digital literacy and general computing skills and knowledge.
At this point, I sincerely hope you’re wondering “What does all this have to do with IT certification?” The key to understanding the outlines for an answer to this question — though details on how all this will play out are still somewhat murky — comes from the EeSA’s mission statement, which reads in part as follows:
Through its members, EeSA promotes the exchange of ideas, awareness raising and good practices at EU and Member State levels; it supports the development of tools and methodologies for the governance of e-skills; and it leads the implementation of concrete e-skills activities in cooperation with other stakeholders. [Source]
The recent LPI press release on their joining the organization sheds more light on what’s up than I could find addressed directly on the EeSA website, starting with that 10/10/2013 document’s title “Update on European e-Skills: ‘Quality labels’ for IT certification.” A recitation of key members of the organization adds some well-known names, including Cisco, CompTIA, EXIN, HP, LPI, Microsoft, and Oracle to the mix, along with the Council of European Professional Informatics Societies (CEPIS) and the European CIO Association. And in fact, LPI has worked with EeSA on IT skill standards to help define a pan-European e-Competence Framework (e-CF) and a so-called “e-skills Quality Labels” program. The idea here is to provide more information to help guide those preparing to enter the IT workforce, or to advance an IT career, “to make informed choices around education, training and certification.”
The recent report in which LPI was involved, entitled “ICT Certification in Europe: Part 2: ICT Certification in Action,” recognized a total of 74 popular industry certification credentials as “accepted and approved” according to the criteria developed as part of the eSkills Landscape Service, which itself includes 50 training and certification programs from the likes of Microsoft, Certiport, CompTIA, EXIN/ITIL, Oracle, Novell/Suse, LPI, Citrix, Red Hat, Cisco, PMI, and others, and a total of 74 individual certification credentials.
The aim of the overall effort is to help practicing and prospective IT professionals with an online self-assessment tool and web portal so they can “distinguish high-quality certifications from those of questionable value” (a dilemma that I can definitely relate to, and that I address regularly in examining and evaluating new certification programs and credentials that pop up with great frequency nowadays). This is an effort worth watching, and checking into periodically, especially as the range of programs and offerings expands to cover more of the overall IT landscape. I’ll also be very interested to see a detailed list of all the certs (a total of 22 from Microsoft, and 13 from CompTIA, for example) that made this grade, along with more information on the criteria used to achieve the “accepted and approved” status to which no doubt all IT certs would like to aspire.
October 11, 2013 2:44 PM
Posted by: Ed Tittel
Thanks to a posting at Born to Learn yesterday, we now know that several Windows Store Apps exams will get an update in the wake of the upcoming release of Windows 8.1 next week, along with the forthcoming update to Visual Studio for 2013. Larry Kaye posted the following list of affected exams yesterday in a piece entitled “Exam/Certification Update 2: MCSD: Windows Store Apps“:
Heading from recent BTL post notifying candidates of upcoming changes to
MCSE: Windows Store Apps.
In addition, MS has already posted “details on the exam updates” in a series of PDF download files linked on each of the preceding Web pages. These take the form of a set of Exam objectives, where the left-hand column is labeled “Tasks currently measured” and the right-hand column “Tasks to be added/changed in November 2013.” This makes it very easy for exam candidates to get information about what’s new and changed in these exams, and represents a welcome collection of information from Microsoft Learning to help ease the transition to the new exam content and coverage. A hasty scan of these PDF documents shows that about half of the individual tasks are subjected to adds and changes, so that those who’ve already started preparation under the old regime don’t seem to face a huge amount of work to sit for the newer exams instead. If any of these exams are in YOUR future, you’ll want to check out the blog post, and the exam page additions, at your earliest convenience: November is not really that far away!
October 9, 2013 1:39 PM
Posted by: Ed Tittel
A recent blurb in GoCertify’s Certification Watch (Vol 16 #7) clued us into an interesting side effect of the recent government shutdown, now into its second week. The item is entitled “Your Government Is Not Available,” and discloses that Pearson VUE — one of two major global IT (and other) cert testing organizations — operates authorized testing centers on numerous US Military bases and at other government-run locations.
Here’s a special notice to which government IT pros with immanent cert exam plans may want to attend.
A “Special Notice” on the Pearson VUE homepage currently reads:
A US Government shutdown could result in the closure of certain Pearson VUE Authorized Test Centers located on US military or government sites as well as affect other test appointments of Service Members and federal employees.
In an attached Special Notice, Pearson VUE reports that it continues to monitor the situation closely and will contact any appointment holders who may be affected by this aspect of the shutdown to help them reschedule exam appointments or locations. It also indicates that potentially affected test candidates can contact their testing centers to make alternate arrangements but also points out that those unable to reach such test centers — themselves likely to be inoperative thanks to the same shutdown — can contact any Person VUE customer call center instead.
Whoda thunk it? Government shutdown stymies IT certification plans for military personnel and government contractors? Just goes to show you that the definition of “essential personnel” can’t always be stretched far enough to cover what IT professionals are bound to think of as both essential and important, no matter what Congress and/or the Executive Branch may dictate!
October 7, 2013 1:33 PM
Posted by: Ed Tittel
As of last Friday, Microsoft now offers a very nice discount — it amounts to a “buy 2, get one more free” — on exams for three different MCSEs that focus on Windows Server 2012 (which will soon mean Windows Server 2012 R2, when that new version hits its GA date on October 17/18). Thus, the following MCSEs and related exams are covered:
If you qualify for the 70-417 Upgrade exam, you can now buy into one of these MCSEs for $300 (the price of two MS cert exams).
1. MCSE: Server Infrastructure — Exams 70-413, -414, and -417 (the upgrade exam itself)
2. MCSE: Desktop Infrastructure — Exams 70-415, -416, and -417 (the upgrade exam again)
3. MCSE: Private Cloud — Exams 70-246, -247, and -417 (the upgrade exam one more time)
The obvious connection among the three credentials is the 70-417 exam whose title provides further clues as to the nature of this offer: “Upgrading Your skills to MCSA Windows Server 2012.” That is, only those prior MS cert holders who are eligible to take the 70-417 exam are also eligible for this deal. To spell things out completely, that means only those who already hold one or more of the following credentials can take advantage of this admittedly tasty offer:
- MCSA: Windows Server 2008
- MCITP: Virtualization Administrator
- MCITP: Enterprise Messaging Administrator
- MCITP: Lync Server Administrator
- MCITP: SharePoint Administrator
- MCITP: Enterprise Desktop Administrator
Exercising the discount offer requires signing up for an “upgrade pack,” for which the purchase period expires on May 14, 2014. Those who buy into the deal then have until the end of 2014 (December 31, 2014 to be exact) to finish using all the exam vouchers and free retakes (each exam in the upgrade pack qualifies for Second Shot treatment, which makes a very good deal even better, if you ask me).