Thursday, February 21, 2008

Certification for Web Application Security Professional

Web Application Security Consortium and SANS has partnered together to define, train, test and certify the individuals. WASC is a leading web application security organization and SANS is a leader in training and certification. Together they have the subject matter expertise and process expertise to make this a huge success.

Why do we need this certification?

As more and more software is moving to a Web-based delivery model modern applications are becoming increasingly sophisticated and vital to business. With online business, come a number of new security risks that are exacerbated by immature Web application security programs.

With 9 out of 10 websites having vulnerabilities, the security state of the Web is dire. Due to lack of options many people are being hired into the web application security field to take up positions without a solid understanding of the attack techniques and defense strategies to match. Often newcomers are confused by the complexities involved and desire something that’ll help them think like a hacker, identify their tactics, and thwart their attacks.
The certification will assist future web application security professionals entering the field to get a strong grasp of the requirements and get up to speed with the in-depth knowledge of web application security.

What is this certification about?

This certification enables web application security professionals to showcase their skills to potential employers, customers or vendors. And for employers this certification will assist them in evaluating the qualifications of respective candidates. Those certified are required to possess quality baseline set of skills to be considered web application security professionals.

We are doing a survey of the topics to be covered in the certification. If you have experience in the web application security industry, please spare few minutes to take part in this survey.


Andre Gironda said...

I have zero faith in WASC or SANS to execute on this and turn it into something good or worthwhile. However, I did participate and will provide help as necessary.

Anurag Agarwal said...

hi andre

WASC is going to define the standard, anyone can do the training and SANS will conduct the test and provide certification. WASC does not have the infrastructure to do testing and certification and neither does it have the inclination to go down that road. We want to enable organizations to find the right skillset and individuals to learn and showcase their skills.

Anurag Agarwal said...

ryan barnett corrected me. its GIAC which does the testing and certification. SANS does the training.

James Landis said...

Good luck! I hope the result of this is a certification that is actually worthy of respect and not just another "I took a one week class and paid someone $400 for a piece of paper". Long gone are the days of the CCIE with multi-day tests and hands-on practical exams. Is SANS really the organization to provide that level of credibility to a certification?

Ryan said...

James - I agree with your comment. Nobody wants a webappsec version of CISSP. SANS's approach to training has always been much more practical, hands-on and based around actually "doing something." As for the CCIE, I agree and that is why SANS/GIAC developed the GSE certification that includes a multi-day in person assessment with hands-on labs. I am hoping that this certification will be something similar to the GSE-Malware cert -

Brian S said...

It would be nice if the certification exam was not connected to the SANS-specific training. This way any person or company could develop and provide their own training classes and students wouldn't have the SANS classes as the only option for certification. As long as the class covers a certain range of material, the students should be prepared for the certification exam. SANS training is good, but it shouldn't be the only route to certification.

Anurag Agarwal said...

brian -

This is exactly how it is. WASC defines the criteria. Anybody can do the training. GIAC/SANS does the testing/certification.

Anant said...

Hello Anurag,

Any idea by when GIAC is starting off with this certification? Have they announced the details or are they still at the initial stages?


Anonymous said...

what about GIAC Web Application Security (GWAS) ? it's deprecated now? seen SANS/GIAC want money

Anurag Agarwal said...

I would like to clarify a couple of things here.
- WASC will define the standards.
- Training can be provided by anyone as long as they follow the standard.
- Testing/Certification will be provided by GIAC.

I am not sure about other certifications provided by GIAC. I think SANS/GIAC will be in a better position to answer that. From WASC point of view, our scope if limited to this certification.

CG said...

is WASC going to going to be certifying other people's training to ensure it meets the standards and objectives of the exam?

otherwise it may be ALOT easier for the person that creates and administers the test to create the training.

aung khant said...

Certifications from are relatively expensive and can't be suitable for the Poor and the Haves-Not. OWASP cert should also be available through Prometric and Pearson VUE.

Rafal said...

I think a certification for Web Application Security is a good idea. I think that executing it at any level other than high-level will be extremely difficult - given the different languages, conventions, frameworks and requirements it's nearly impossible to go down under the surface of the concepts.
I'm not necessarily against this idea, in fact I know it's needed, but I'm skeptical that we have the ability to create a session/class that's time-effective and technically effective.

Thanks for putting in the time.

deesha said...

i am new to security testing. can any1 tell me what kind of a certification should i go for which can help me for security testing.

Anshul Sood said...

Hi Anurag,
i'm new to appl-sec and wanted to pursue career ,.. can you suggest some training paths, self study material, etc., for beginners like me.