Certifications – Eric Walker

June 23, 2017December 29, 2019

PCI PA/P2PE certifications

Took the Payment Application (PA) Qualified Security Assessor (QSA) exam back in March, just a couple of weeks after taking the Point to Point Encryption (P2PE) QSA exam. Surprisingly they both seemed fairly easy tests, the P2PE was a little harder since I had to study up on some crypto information.

Had been trying for a few months to assist with some P2PE assessment work, but it seems that is not as easy as I had hoped. Had asked to shadow some people or assist on small projects, but got nothing. I then asked to work on PA assessment, was invited out to the Colorado office to learn the internal processes, and go over some documents. Was asked if I was interested in joining the PA team by hte managing principal.

Finally decided to stop trying to get into the P2PE team, and took an opportunity on the PA team. Applied for a Senior Consultant position, but was only transferred over as a IT security Consultant. Not exactly sure what the deal is with promoting me to Senior, especially since I have more experience then most Senior Consultants that I have worked with so far. But that battle is for another day.

Will see how things go with doing the PA assessments, they do not seem to be very difficult, most of the testing is easy. The pentesting portion is kind of a joke, as they do only minor tests against SQLi, XSS, CSRF and buffer overflows. Almost makes me miss doing the pentesting stuff, and the exploiting software vulnerabilities.

January 4, 2017December 29, 2019

Starting off 2017 right! (I hope…..)

Well its 2017 already, and I am not sure where 2016 went.

Last year I was extremely busy, traveling about every week and multiple ROC’s due weekly for my previous company. Never had enough time to actually do my job well or even think about fixing the issues that we had. Now that I am at Coalfire, I have plenty of time to do my job, with tons of resources to help me out. I am not traveling as much, which I sort of miss, hope that changes a little starting soon. Working from home is a little weird, not sure it is something I really like, miss the interactions with other people. Not that I do not like my family, its just getting out of the house for a little while and talking to other people with similar interests. Will be trying to get former colleagues to do lunch once in a while to at least try to keep up with whats going on.

This year is starting off fairly decent for me, since I am getting to attend two different training classes. First one is an ISO 27001 Lead Auditor certification course. I will be heading to Colorado for a few days. The class was supposed to be for junior associates that needed a certification to allow them to get their QSA. I asked if their was space I would like to attend, and I guess there was room for me. The second class is PCI P2PE certification, which will be a little harder from my perspective. Most of my cryptography experience is military related and not really geared towards the commercial sector. If I pass this course, I have been asked if I wanted to take the PA-DSS course and then possibly the PA-P2PE course. Since they are in need of people to assist in that area, I said why not. I am always willing to take training classes, certifications never hurt anyone.

So it looks like my first full ROC I am lead on will be a client that they have had for a while. This should be fairly nice to get to learn their methodology, and show my manager, I am able to do the work. I was brought in as a consultant, and not a senior consultant. That was something I had decided to do, I originally had interviewed for a senior security consultant position, but since they were willing to pay me the same for either position, I took the lower level position. I am sure some are going WTF, I would never do that. Well, I am more than capable to be a senior consultant, but If I come in as a junior level person and can show that I am very good at my job, I will more than likely get a promotion or possibly opportunities to do other stuff. Which is sort of what is happening already with the certification courses.

Well 2017, lets hope things keep rolling along smoothly…..

June 20, 2015December 29, 2019

PCI-QSA Training

Spent the past 2 days in Boston in the PCI-QSA training class. Taking the exam the last hour and a half of the class, but will not know the results until a week or two later. The Class was interesting, and I learned a little bit of information from the instructor on his perspective of doing assessments. I meat several interesting people, from all over the world, and working for different companies. I though it very interesting talking to the people working for the accounting firms, and how they were using the QSA certification with their clients. Most of them were doing just gap analysis and not actually signing ROCs for clients.

Well hope to hear if I passed….

April 19, 2015December 29, 2019

Passed the GWAPT cert

I took the SANS GIAC Web Application Penetration Tester (GWAPT) class back in December of 2014 in Washington DC with Eric Conrad. Have been procrastinating for several months before I had to finally break down and take the certification before my time expired in late April 2015.

Spent a few days going over the books to refresh me on the content that we went over, and took one of the practice exams and actually did not do too well on it. Never taking a SANS cert before I was not sure what to expect, and probably should have actually allowed for the 2 hours to sit the practice test. Rushed though it and guessed a lot of the questions, and did not remember going of half of the info. (Note to self actually read the questions and each answer and not just say that looks good.) Overall I was a little frustrated after the first practice exam, since I have been doing this for about 3 years now, and many of the questions seemed to be based on opinion, and not actual facts. Several of the questions had more to do with general penetration testing then actually web application testing, like needing to know the TTL from a DNS request for a domain name.

So read the books a few more days before taking the second practice test, which I did much better on, since I had some idea on what to expect on the test.Did rush though it again actually did the entire test in 48 minutes. Which is really not that great, but I just wanted to make sure I had some idea what they real test would be like. Two days later I sat for the actual GWAPT test, and planned to take my time and read every question throughly.

Sat for the exam on April 9, 2015. Finished the test and passed it fairly easily, but was some what perplexed that it had nothing similar to the practice tests. It seemed the the practice exams had nothing to do with the the actual exam. Many of the questions were topics that were in the books, but never brought up in the practice tests. Which frustrated me a little, since I had to spend a little more time looking for some of the answers, that I had not really gone over previously.

So anyone planning on sitting the exam, and that has not taken a SANS cert before, plan accordingly to make sure you know all of the content in the books. Do not expect that the practice exams will actually prepare you for the real test, it might actually make you study information that is never asked on the exam.

December 20, 2014December 29, 2019

SANS SEC 542 – Washington DC CDI

Attended SANS SEC 542 Web App Penetration Testing and Ethical Hacking class in Washington DC at the Grand Hyatt from December 12 – 17 2014.

The instructor was Eric Conrad, and the class was fairly decent, and is a good start for anyone wanting to learn web application pentesting. I already had some extensive knowledge of web app testing, but decide to take the course anyways to see what SANS course were like.

Learned a few things, but primarily new most of the course material, most of the new things I learned are tool related. I do not usually use ZAP or W3AF, and since we used them in class I learned a few things about them and their capabilities.

There was a wide variety of people in the class, with about 30 students in the class room and about 15 online students. We had some that had no pentesting abilities, and some with a couple years experience.

The class was a six day course:

DAY 1 : Attacker’s View, Pentesting and Scoping

DAY 2 : Recon & Mapping

DAY 3 : Discovery

DAY 4 : Discovery Continued

DAY 5 : Exploitation

DAY 6 : Capture the Flag

My team completed the CTF first, but Eric Conrad could not decide who yelled out first so he called it a tie with the team sitting just behind us.

The biggest things I learned from the class was actually not taught in the class room, it was talking to the people there who are doing pentesting and works in the security community. Plus the additional talks that were held after classes were well worth staying up late and not going sight seeing around DC.

Now I just need to figure out how to get my boss to allow me to attend another one next year.