After months of studying and actively working in the field as a web penetration tester, I have earned the GIAC Web Application Penetration Tester certification. This exam covered 10 topics dealing with web applications knowledge and their known weaknesses.
I has been about 3 months since I took the SEC542 course that prepared me for this exam. I spent nearly 8 days in Las Vegas, spending day and night immersed in everything the SANS Institute training has to offer. Not only did I enjoy the day classes, I went to all of the after hours seminars to receive more talks on hacking.
Besides the amazing class, the highlight of my week was participating in the NetWars Tournament. It really put all the skills of my IT soul to the test security knowledge in real world scenarios.
I started this training under the direction of my department head. He wanted to leverage my existing web and IT knowledge to be the Web Penetration tester for the organization. His instincts paid off, as identifying web application weaknesses did come naturally to me.
My instructor at the SANS training was Seth Misenar, and he did an amazing job in the class. He guided us through the SANS web testing methodology: Reconnaissance, Mapping, Discovery, and Exploitation. The information I received from the course was overwhelming and lead me to continue poring through the course manuals for months afterwards to solidify my knowledge.
To be successful at this exam, my recommendation is that you take the training and understand what is being taught. It is not enough to simply just remember the book, but to understand what is going on and why.
This course and certification forces you to think more like a developer. You have to be familiar with Python and JavaScript fundamentals to be successful. Python is the hacker’s language of choice, JavaScript is the web developer’s behavior language of choice. Understand the basics of both, and that will be a huge help.
There was 75 questions on the exam to be answered in 2 hours. Unlike most certification exams, it is open book, open note. However, if you have to look up every answer in the book, then you will not make it in time. Do not rely on the idea that since it is open book the exam is easy, because it is definitely not that. You must absolutely understand the matter in which you are being tested on.
Since the exam is open book/note, I recommend developing a good index like this one: SANS 2015 SEC542 Advanced Web Pentesting Book Index
Index the books before you take your first practice exam and make adjustments afterwards. Then do the same for your second practice exam and that should go a long way in helping you quickly reference some obscure materials or help trigger some thoughts that you might be stuck on during the exam.
If you go out for the test soon, I wish you the best of luck!
Congratulations! I know this is was not an easy accomplishment. Color me envious. I am hoping — I still haven’t planned for it — to obtain the CSSLP this year.
One of my goals is to also receive my CISSP at the end of this year. That 1600 page “all in one” book is a tough pill to swallow. My sheer excitement to learn more about security is what has getting me through it so far.
Good luck on your CSSLP, that looks like an awesome certification to have!
Hi,
I created an exam notes for GWAPT. Interested people, can go through this site:
http://learnitsecurity.blogspot.sg/p/giac-gwapt-certification-training.html
Have fun!
Searched google for GWAPT practice exams and this was one of the top results. Hacker and SEO expert apparently, update that LinkedIn. 😉 Hope all is well with you buddy!
Hey Chris! That explains why I get so many hits on that article.
I am pretty heavily involved in the WordPress community, it comes along with the territory 🙂 Hope you are doing well!