Why I no longer endorse Offensive Security | Nethemba


Why I no longer endorse Offensive Security

2020-04-10 19:44 Ian Budd

Please note that this following post is my own opinion and I do not speak for our team or Nethemba s.r.o as a company on this matter.

Many people reading my previous blog entries and who communicate with me in the Offsec IRC may see me as a bit of an Offensive Security fanboy. I have taken OSCP, OSCE, and OSWP all of which I recommended greatly at the time. A lot can change in a short time however and I am realising more and more that further Offensive Security experiences would be a mistake from a personal standpoint.

So what happened? There are a few things which prompted this decision and I will cover a subset of these below.

1. Misleading course/certification titles:

AWAE/OSWE – Offensive Security Web Expert.

The AWAE course covers whitebox testing fairly well. Code review is the focus of this course – but this makes one a code review proficient, not a web expert.

If one would head into a job interview with the title ‘web expert’ proudly shown on their resume/CV and when asked about SSRF, XSS filter bypass, WAF bypass methods, ORM injection, returns only a blank stare then it begs the question what ‘web expert’ actually means in Offensive Security’s world.

Personally I am primarily a web tester and I can see that 90-95% of projects coming through our gates which are in the ‘web’ category are blackbox. I cannot state that this is the same for other companies but I would imagine it being so.

It is therefore interesting that covering the other 5-10% apparently makes one an expert in the field. Having said this, I think the AWAE/OSWE material for what it is is very informative and well put together. Besides, ‘Offsec Code Review Advanced Proficiency’ would abbreviate to OCRAP so it’s probably good to avoid that.

2. Unofficial/semi-official chat channels:

There was a time when OSCP was THE certification to aim for. Questions would be asked in the official IRC channel and these are met with the expected ‘Try Harder’. Try harder we would and eventually overcome our problem.

Having seen recently a couple of Discord and Telegram groups (and being incognito in them for a couple of months), most questions in these places are now met with ‘sure. PM me’. This goes against Offensive Security’s own guidelines yet there is now more of a publicly available group effort happening for Offsec courses which will lessen the experience for many taking part. These groups are not banned by Offensive Security, rather they have created the role of ‘community manager’ to sit in and observe in a much more lax environment where hints are apparently free to anyone who asks for them.

3. Unfair decisions regarding updates:

OSCP is all new for 2020 – 33% more lab and double the course material. All well and good. Every course eventually needs an update. Too bad for those however who started before February 11th 2020. Anyone starting from February 11th 2020 would gain access to this new material and anyone even a day before this receives a ‘Too bad. It is what it is’ (not an actual quote). Of course one can upgrade for $200USD to new material but if Offensive Security certificates are valid for life, so should be updated material (for free for holders of the certificate) in order for their certificate to still be relevant.

If this is not the case then we will get to the point where employers will only be accepting certificates achieved after a certain date which ties in with a certain course iteration. This would force holders to re-certify anyway (which in itself may not be a totally bad thing).

This has led to many people asking me if I know of any upcoming updates for OSCE/OSWP (which are both quite outdated albeit really fun) and the general feeling of ‘I don’t want to register yet in case they update this year’. Perhaps some announcement of future updates would be a wise move from Offsec’s side as there were many students gaining OSCP in the latter half of 2019 who feel they missed out.

My list is multiple more points long, however I wish to avoid this turning into a ramble/rant.

I have a few people asking me if I’m ‘gonna catch ’em all’ (re: Offsec certificates) but hopefully this will put that question out of peoples minds. I’m personally done with Offensive Security from this point, however wish those taking courses and exams all the best.