2023-03-29 21:41:00
As a quick follow-up to this week's post about CSC 210 and CFR 410: I've now also gone through the majority of the course book for CFR 410.
Like CSC I can say I'm of the opinion that the course book for CFR is solid. It's good. I might not like the CFR exam, but the book is good!
kilala.nl tags: studies,
View or add comments (curr. 0)
2023-03-24 10:27:00
About a month ago I re-sat CompTIA's Linux+ exam, to make sure I am still preparing my students properly for their own exams. I still like the Linux+ exam (which I first beta-tested in 2021) and I'm happy to say that my course's curriculum properly covers all "my kids" need to know.
This week I sat not one, but two exams. That makes four this year, so far. :D
Why the sudden rush, with two exams in a week? I'm applying as CertNexus Authorized Instructor, through an acceleration programme that CN are running. They invited professional trainer to prepare and take their exams for free, so CN can expand their pool of international trainers.
I feel that's absolutely marvelous. What a great opportunity! I heartily applaud CertNexus for this step.
The first exam which I took was CSC-210: Cyber Secure Coder. The curriculum had a nice overlap with the secure coding / app hacking classes that our team taught at ${Customer}, which means it's a class I would feel comfortable teaching. It's not programming per sé, it's about having a properly secure design and way-of-work in building your software. The curriculum is language agnostic, though the example projects are mostly in Python and NodeJS.
I went through the official book for CSC and I like the quality. I actually enjoyed it a lot more than CompTIA's style. I haven't gone through the slide decks yet, so I can't say anything about those yet. The exam, I really liked. The questions often tested for insight and when it asked to define certain concepts, it wasn't just dry regurgitation.
I can definitely recommend CertNexus CSC to anyone who needs an entry-level training and/or certification for secure development.
Now, CFR-410 (CyberSec First Responder) is a different beast. I took the beta back in 2021 and at the time I was not overly impressed. The exam has stayed the same: it still asks about outdated concepts and it still has dry fact-regurgitation questions.
I haven't gone through the book and slides yet, I'll do that this weekend so I can update this post.
I have contact CertNexus to offer them feedback and help, so we can improve CFR. Simply complaining about it won't help anyone, I'd rather help them improve their product.
EDIT: CertNexus have indicated they will welcome any feedback I can provide them for CFR, so that's ace. I will work with them in the coming weeks.
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2023-03-18 19:30:00
On Discord, people frequently ask whether "is Linux+ worth it?". Here's my take.
The value depends on your market and on what you get out of it. In the US and UK, CompTIA is a well-known vendor but in other parts of the world they aren't. But left or right, Linux+ is not very well known.
I teach at a local school to prep young adults for the Linux+ exam. The school chose Linux+ because they can get heavily discounted vouchers for the exams, versus LPI, LF and others. For the school it was a matter of money: they really don't have much money and every dollar helps.
Personally, I feel that the Linux+ curriculum is pretty solid as far as Linux sysadmin certs go. The exam itself is also decent and the vendor is mature.
So in this case the value you'll get is from learning Linux system administration pretty in-depth. You'll also get a slip of paper which some might recognize and others will go "*cool, you passed a cert exam, good job*" (in a positivie sense).
Linux+ is not worthless, it's just worth less (when compared to LFCS, LPIC1 and RHCSA).
kilala.nl tags: studies, work,
View or add comments (curr. 0)
2023-03-04 08:20:00
Someone on Discord asked: "Question: Does DevSecOps type of work fall under ISSO's roles and responsibilities?"
That got me thinking.
IMO: DevSecOps, like many things in InfoSec, is something everybody needs to get in on!
Architects need to define reference designs and standards. The ISO needs to define requirements based on regulations and laws and industry standards. An AppSec team needs to provide the tooling. Another team needs to provide CI/CD pipeline integration for these tools. And yes, the devops squads themselves need to actually do stuff with all of the aforementioned things. Someone needs to provides trainings, someone needs to be doing vulnerability management. Etc.
One book on the subject which I heartily recommend, is the Application Security Program Handbook, by Derek Fisher.
I bought that book right after leaving my previous AppSec role, where we spent two years building an AppSec team that did a lot of things from that list. I was amazed by the book, because cover to cover it's everything we self-taught over those two years.
kilala.nl tags: work,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.