Anurag Agarwal had a posting in his blog about a new certification for Web Application Security Professionals. When I first saw the posting I was almost kind of excited. You can imagine my disappointment when I found out that the GIAC/SANS organization was going to be involved. To me it just seems like an excuse for SANS to try and charge an exorbitant amount of money for their certifications. Now, I am not knocking the instructors that teach at the SANS training. Most of them are very talented individuals with many years of experience. That isn’t the issue.
What I have a problem with is what about people who already have the core competencies for the certification? These individuals would get absolutely nothing from taking the SANS training. I am sure the training is going to be targeted toward more of the newcomers to this space. For this scenario GAIC offers the certification challenge. I am not sure if you have looked up their costs to challenge their certifications or not, but it is rather laughable. I almost feel out of my chair laughing when I saw the new pricing, 899.00 which is a tricky way of saying 900.00. Are you kidding me? There is nothing special about their tests or credentials. I know, I have one. There can not be that much overhead in the exam creation and maintenance. The CISSP doesn’t even cost that much, initially anyway. It just seems like another way for this organization to money grub. They are targeting people who work for organizations that pay for certifications for them and don’t necessarily question the amount of money spent. This basically shuns the little guy and the independents. To me, the GAIC certification challenge for Silver (that is purely automated no grading of papers) shouldn’t be more than 150 dollars. I think that is fair.
How should this be done?
I am not an expert in all things certification but I would think you would have to start with the WASC taking complete ownership of this. Community experts should be queried for what they believe are the most important aspects of the field. You may even want to take a proven methodology based on OWASP as a framework for this as well. After that the exam objectives are defined. There may also be an experience requirement as well. So maybe people have to prove working in the field for 2 years or something such as that. Based on the exam objectives and the comprehensive nature of the exam, you have a panel of experts draft the questions for the exam. The exam delivery method should be one that doesn’t restrict people based on geographic limitations. This delivery method could be web based, Prometric, etc.
Structuring the exam in this manner would allow other organizations to provide training as well and not just lock in one vendor. This spreads the wealth a bit through the technology community. Also it would allow for a reasonably priced challenge for any professionals who are already proficient in this area.
Sigh. Ten years ago Nathan, you could create a certification by writing a bunch of questions and hanging out your shingle. Those days are gone ( and that is a good thing). Today, to be considered acceptable quality you have to be compliant with ANSI 17024. While I do not agree with everything they demand, on the main, it is a pretty good benchmark. But it adds to the cost. The proctoring is the biggest driver. But it is considered standard practice today and you have to go with it.
SANS and GIAC are separate corporations with separate missions. If you already know your web security stuff there is no point in taking a SANS course to take a GIAC exam.
GIAC does not claim to be a subject matter expert in web security, we are counting on WASC for that. We claim to be subject matters in the business of certification.
I completely agree that training should not be limited to one vendor. The specs for the exam will be posted for all the world to see as are the specs for the C and Java software security exams. There is zero possibility that SANS could scale to teach all the people that need training.
The bottom line, the days of two guys and a dog 150 dollar certifications is nearly done. CompTIA and CEH are both racing ( hearsay, I have no direct knowledge) to become ANSI certified. Yes, it will put the price point closer to 500 if proctored, but enough griping. When I hire a web programmer that can code fast and securely the price point starts at 100 an hour and that is when I get the friends and family rate. If you can earn the cash to pay for a trustmark in five hours it is not overpriced. Peace.
Mr. Northcutt,
Thank you for taking the time to comment in my measly, semi-complete blog. I realize that training costs money and it costs even more when you have talented people delivering that training. I really don’t have much of an opinion on the cost of the training. I think at times you get what you pay for. On the other hand, having a certification challenge cost 900.00 is over the top to me. This is especially true compared to other industry recognized certifications such as CISSP, CISA, etc. Although, there are maintenance fees associated with those certifications, they are considered the “industry standard” for certifications. I feel there is a happy medium between 150 and 900 dollars, especially if this certification is to become one of those “industry standards”. At the end of the day cost is a factor, especially when doing a cost benefit analysis on the certification.
I also feel that if this is to be a recognized certification on web security it should be owned by WASC start to finish. They would be responsible for creation, delivery, and maintenance. Having it delivered by GIAC will make it just another “SANS” certification in the eyes of many people. I am not saying that view is either good or bad, it just is what it is. I know many experienced individuals in this space that will not having anything to do with the certification because of this fact. That is their deal. Anyway just delivering my two cents on the subject.
The lines between both GIAC and SANS are very blurry. Although they may be different organizations they are still viewed by most as the same organization. The reasons for the blurry lines are very apparent. I think it still locks in SANS as the sole vendor for training due to the fact that who would go to another vendor to prepare for a GIAC/SANS certification?
As I mentioned previously, thank you for taking the time to comment. I am sure you have much on your plate.
SANS and GIAC are same to me. I had the training AND exam paid for at the same time to SANS.
I must say the training was very good but to pay 900 USD for a Challenge exam is way over the top. I will not pay that if I am the one paying …but [sigh].. my company wants me to sit for the GIAC cert and add it to my CV .. to make more money from our clients… [sigh again]. so off I go and 4 hrs later I have it.. BTW I have over 15 years doing the stuff…so I am not a starter.. and also about 10 odd certs with an MSc thrown into the mix…