SANS DEV 522 (Defending Web Apps) and Certification Thoughts

December 30, 2019

I’ve had this a draft on this topic for a while and thought it would to be good to just let it go since all these events happened more than half a year ago.

At a previous job, I was super fortunate where my company sent me to take a SANS Institute course of web security. I had expressed interest in security to my then manager and he proposed I take SANS Institute’s DEV 522. Something something on being a wonderful advocate and he also convinced me to take the certification as well.

At the time, I was a frontend engineer but had some security background with prior involvement in the University of Michigan’s security course EECS388, various workshops (BSidesCLE - Malware Analysis and BlackHoodie - Intro Web App Security), and occasional dabbling in bug bounty.

DEV522: Defending Web Applications Security Essentials

DEV 522 is SANS answer to educating anyone involved with web applications to think about security. Like all SANS courses, this comes with a steep upfront cost. Between the class, hotel, and travel, this cost over $8,000 and a week of my time. I’ll discuss more below but I would generally not recommend someone take this class if paid out-of-pocket.

When you get onsite for the class, you are directed to pick up a bunch of SANS-published books. The class is roughly structured so you spend around 8 hours a day on each book adjusted for the pace of the class and instructor.

SANS textbooks

The strongest point of the class is the instructor. While we went through material in the books and workbook, the instructor interwove additional content based on his experiences in the security industry. The books are a good primer to web app security but one thing that stood out to me was that the space that things were taught in were a little dated and occasionally Microsoft-y.

While the books are said to have been updated pretty often, some of the content seemed old given the speed of the tech industry. Most things were general enough where it can be applied to in most circumstances but I found some of the content to be more hand-wavy and brief around things like modern web frameworks and cloud infrastructure security.

The books are good for general reference material. The instructor is where you’re going to find depth on topics discussed. The class itself is great for setting aside time so that you’re in a productive learning environment.

On the last day of the course, you’re involved in a guided CTF interactively going over all the content discussed the day prior. I was the first to finish in my class and received a challenge coin. :)

DEV 522 challenge coin

I was a big fan of the CTF since it forced you to think critically about what you just learned. There were workshops mixed in with the course material though I found them to be a little contrived. It was a fun way to end the course! All in all, the class was good. I would say that you should consider this course if:

  1. Your organization or someone is sponsoring you
  2. You have none or very little understanding of security in general

I found out that I knew more than what I thought I did with my prior experiences. Regardless I found it nice to spend a week away from coding to think about security.

GIAC Web Application Defender (GWEB)

The GIAC GWEB is a certification associated with DEV 522 and focuses on securing web apps and recognizing and resolving weaknesses within existing apps.

I’ll be frank, I didn’t study much for this certification. Like…I spent the 3 days at most. It was a mix of procrastination and feeling pretty solid already in my understanding of the material. I originally scheduled my exam to be a month after the course but I kept pushing it back until the very last week because life happens and I didn’t prioritize the certification at the time. Was definitely irresponsible, but hey, I passed.

But also at the same time, let me say this: this certification is not cheap. While I was fairly confident in my abilities, I was also incredibly anxious about the idea of failing. Losing hundreds of dollars like that just kinda hurts your soul.

Anyways, I referenced this guide to studying for GIAC tests. I did the following:

  1. Tabbed out the chapters in the given textbooks
  2. Created a table of topics and where it’s located in the textbook
  3. Created a table of various definitions and what pages it was mentioned in
  4. Re-read everything

Study material: tabbed books, topics table, definitions table

By far, 3 was the most useful. It was a nice way to quickly remember what something was and then have a way to dive deeper if necessary. 1 was the least useful. The indexes generally handled me finding pages more quickly. This was mostly useful to flipping to a page faster.

Once all that was done, SANS has two practice tests available. I took them and updated my reference material as needed. These tests are set up in nearly the same way as the actual test.

Day of the test — when you originally sign up for a test, you sign up for a local testing center. Mine was at a nearby high school. It was difficult to find the right place in the school and people were unsure what I was talking about when I asked where to go. Definitely get there early.

Once you’re all settled, you sit in front of a computer with the testing stuff on screen. Test comprises of a bunch of multiple choice questions that you have to complete within some time limit. It was…not great. Your mileage may vary but the environment really didn’t suit my testing-taking style. I like skipping around questions and answering what I’m most confident with first and storing less confident answers in the back of my head.

The testing software really didn’t allow for that. If I remember correctly, you could only skip and go back to a question 5 times for the entirety of the test. Once you answer a question and hit next, your answer is locked in forever.

I did pretty on par with what I got on the practice tests and I got an email shortly thereafter saying “congrats you passed”. Some weeks later got a nice framed physical certificate.

Framed certificate

All in all, this was a cool experience and I got a sweet little entry for the “Certificates” section on LinkedIn now.

So, do I think the GIAC GWEB is useful? Not particularly.

It’s a nice talking point but I don’t think it says much about your security knowledge outside of answering a bunch of multiple choice questions correctly. There are valuable parts I think like studying for the test and getting a feel for some of the breadth of knowledge that exists within security. It is however a nice conclusion to the end of a learning journey. Unless (A) it’s a job requirement or (B) your job is paying for the certification, it’s a nice-to-have but unnecessary.

And to just reiterate, my opinions on SANS classes and GIAC exams come from a n=1 state. I gave feedback on the exam and course a while ago so maybe things have changed. I’ve heard lovely things about other courses/exams and the organization itself does great things for the infosec community.

On the flip side, this was a cool experience if you’re at all interested in working in infosec. Despite the limited scope (web), the breadth of things taught gives you a feel for the field. The course helped me do a little vision planning on what I want to do in life and now I’ve transitioned into doing more security things as a career.

1/2/2019 edit: I forgot to put in my opinions on the certification so I added it above.

Hon Kwok
Getting my thoughts in order! 😎
TwitterPersonal Site