For yet another sign that Web-based applications are growing in importance and use, the SANS Global Information Assurance Certification (GIAC) program has added a new credential to its line-up. The GIAC Web Application Penetration Tester, or GWAPT, seeks to train security professionals to analyze and evaluate the security risks that Web applications may pose within organizations, and to help those organizations take the steps necessary to mitigate and address them.
The GWAPT is among a handful of certs oriented toward improving security for web-based applications.
Like most GIAC credentials, earning the GWAPT means passing a single exam (75 questions, 2 hours, 70% cut score). The credentials stated objective is to help organizations find and close “web app holes” which
“…have resulted in the theft of millions of credit cards, major financial loss, and damaged reputations for hundreds of enterprises. The number of computers compromised by visiting web sites altered by attackers is too high to count. This certifications measures an individual’s understanding of web application exploits and penetration testing methodology. Check your web applications for holes before the bad guys do.” [Italics mine, for emphasis.]
Other certifications in and around this rapidly growing area include:
- GIAC Certified Web Application Defender (GWEB): aims at the development side of web security, but also embraces security analysts, auditors, penetration testers, and other security professionals in its coverage
- (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) advertises itself primarily as a “Web Application Security Certification” and covers the entire development and maintenance lifecycle for software of all kinds.
- Offensive Security Web Expert (OSWE) bills itself as “an entirely hands-on web application penetration testing security certification” that includes both pen testing and code audit coverage, in the context of a 24-hour examination wherein candidates must successfully audit and penetrate specific targets
- Certified Application Security Tester (CAST), a relatively little-known credential from a multi-national infosec, forensics and training company PA Group Company named 7Safe, billed itself as an “ultimate advanced level application security testing certification” and a “web application testing certification.” This is a capstone to the same company’s “foundation level” Certified Security Testing Professional (CSTP) credential, also described as a “web application penetration testing certification.”
- The Institute of Information Security offers the Certified Web Application Security Professional (CWASP) credential, which covers the basics of application security, security enforcement for weg apps, basics of threat modeling and profiling, and more, from the organization that created the highly-regarded Open Web Application Security Project (OWASP)
- Mile2 offers the Certified Secure Web Application Engineer (CSWAE) credential, designed to help candidates master the skills, knowledge, and tools “needed to identify and defend against secuirty vulnerabilities in software applications” including significant hands-on lab content in its training, and a live hacking exercise during the cert exam
- The Information Assurance Certification Review Board (IACRB) offers a Certified Application Security Specialist (CASS) credential that includes significant coverage of web-based applications in its general application security curriculum that focuses on audit and testing of source code, and tried-and-true analysis and penetration testing techniques, along with extensive knowledge of the threat landscape, past, present, and emerging
- Even CompTIA’s Mobile App Security+ puts most of its emphasis on network communications and backend web services, while focusing front-end efforts on Android or iOS for mobile applications security coverage
With at least nine such credentials to choose from, and perhaps more I have yet to uncover, one thing’s for sure: there’s no shortage of options from which to choose. My own inclinations are to put items from GIAC, (ISC)2, and the CWASP (because of its association with the OWASP project) at the top of this list, though all of the purveyors seem to be covering the subject matter with appropriate depth and seriousness. If you know of other items I have missed, please comment here or send me an e-mail (visit edtittel.com for a contact link) and let me know. TIA!