Comments on: WASC and GIAC/SANS to Create a Certification for Web Application Security

By: Dakingari

Dakingari — Sun, 15 Nov 2009 01:06:45 +0000

SANS and GIAC are same to me. I had the training AND exam paid for at the same time to SANS.
I must say the training was very good but to pay 900 USD for a Challenge exam is way over the top. I will not pay that if I am the one paying …but [sigh].. my company wants me to sit for the GIAC cert and add it to my CV .. to make more money from our clients… [sigh again]. so off I go and 4 hrs later I have it.. BTW I have over 15 years doing the stuff…so I am not a starter.. and also about 10 odd certs with an MSc thrown into the mix…

By: Nathan

Nathan — Wed, 27 Feb 2008 05:33:16 +0000

Mr. Northcutt,
Thank you for taking the time to comment in my measly, semi-complete blog. I realize that training costs money and it costs even more when you have talented people delivering that training. I really don’t have much of an opinion on the cost of the training. I think at times you get what you pay for. On the other hand, having a certification challenge cost 900.00 is over the top to me. This is especially true compared to other industry recognized certifications such as CISSP, CISA, etc. Although, there are maintenance fees associated with those certifications, they are considered the “industry standard” for certifications. I feel there is a happy medium between 150 and 900 dollars, especially if this certification is to become one of those “industry standards”. At the end of the day cost is a factor, especially when doing a cost benefit analysis on the certification.

I also feel that if this is to be a recognized certification on web security it should be owned by WASC start to finish. They would be responsible for creation, delivery, and maintenance. Having it delivered by GIAC will make it just another “SANS” certification in the eyes of many people. I am not saying that view is either good or bad, it just is what it is. I know many experienced individuals in this space that will not having anything to do with the certification because of this fact. That is their deal. Anyway just delivering my two cents on the subject.

The lines between both GIAC and SANS are very blurry. Although they may be different organizations they are still viewed by most as the same organization. The reasons for the blurry lines are very apparent. I think it still locks in SANS as the sole vendor for training due to the fact that who would go to another vendor to prepare for a GIAC/SANS certification?

As I mentioned previously, thank you for taking the time to comment. I am sure you have much on your plate.

By: Stephen Northcutt

Stephen Northcutt — Tue, 26 Feb 2008 19:36:19 +0000

Sigh. Ten years ago Nathan, you could create a certification by writing a bunch of questions and hanging out your shingle. Those days are gone ( and that is a good thing). Today, to be considered acceptable quality you have to be compliant with ANSI 17024. While I do not agree with everything they demand, on the main, it is a pretty good benchmark. But it adds to the cost. The proctoring is the biggest driver. But it is considered standard practice today and you have to go with it.

SANS and GIAC are separate corporations with separate missions. If you already know your web security stuff there is no point in taking a SANS course to take a GIAC exam.

GIAC does not claim to be a subject matter expert in web security, we are counting on WASC for that. We claim to be subject matters in the business of certification.

I completely agree that training should not be limited to one vendor. The specs for the exam will be posted for all the world to see as are the specs for the C and Java software security exams. There is zero possibility that SANS could scale to teach all the people that need training.

The bottom line, the days of two guys and a dog 150 dollar certifications is nearly done. CompTIA and CEH are both racing ( hearsay, I have no direct knowledge) to become ANSI certified. Yes, it will put the price point closer to 500 if proctored, but enough griping. When I hire a web programmer that can code fast and securely the price point starts at 100 an hour and that is when I get the friends and family rate. If you can earn the cash to pay for a trustmark in five hours it is not overpriced. Peace.