2024-01-21 15:21:00
In the months leading up to my PDSO CASP studies I read José Haro Peralto's "Microservice APIs". On and off, between classes and between other things I was learning. It's been a long read, but I can heartily recommend it.
I can honestly say that José's excellent book is what taught me the most I now know about how APIs work! And it most certainly made a lot of things clear, which I also learned about in CASP.
Before I read "Microservice APIs" I had a foundational grasp of how REST and SOAP APIs look from the outside, as consumer. I'd used OpenAPI specs, I'd read through WSDL files and I'd made API calls through HTTP. But I never really understood how it all worked on the server side.
José's book makes all of that server side magic crystal clear!
The book explains foundational and deep technical aspects of building multiple interacting APIs, which together form the backend of an online coffee product shop. And José shows all of it! All the Python code to load the frameworks, to write the queries and to build the endpoints. All of the code needed for GraphQL and two different REST implementations. And even a bit of authentication and authorization! Heck, appendix C of the book turns out to have exactly what I was looking for when I wanted to learn about integrating OIDC and OAuth into the authorization checks of an API!
If you hadn't guessed yet: "A+ would recommend".
kilala.nl tags: work, studies,
View or add comments (curr. 0)
2024-01-21 11:22:00
Almost a month ago I started my studies for PDSO CASP, or Practical DevSecOps - Certified API Security Professional. That's a whole lot of words!
I've taken two PDSO classes and exams before: CDP in 2021 and CTMP in 2023.
Yesterday I took the exam and boy-howdee! did I get off on the wrong foot! I thought I'd booked the exam to start at 0800, but when I was brushing my teeth at 0645 the exam instruction email arrived! My own fault and luckily I was at my desk in fifteen minutes... I didn't miss any time, I was just a lot less relaxed than I'd hoped to be.
It was fun to do another hands-on hacking exam! Six hours of happy hacking! Having said that, I have one thing to nag about.
The exam did not test anything new. PDSO themselves in their training materials always advise: (paraphrased) "if you do all the labs and take careful notes, you will do well on the exam". They said it with CASP, they said it with CTMP and with CDP.
With CDP there was additional depth to the exam insofar that you needed to apply concepts that you had learned to new technology. For CASP that did not ring true. And I understand why PDSO took this approach. CDP was about implementing CI/CD pipelines, while CASP is about attacking (pentesting?) APIs. And one does not "simply pentest" five different APIs in six hours time.
In my feedback to PDSO (and I gave plenty of it) I suggested that they could make a proper competitor to APISecU's ASCP exam by creating a second, longer and more in-depth exam. If PDSO made CASE (certified API security expert) which lasts twelve hours and has you do proper recon and attacking, I'd be all over that!
In essence the difficulty level of PDSO CASP is not defined by the technical challenges, but by time management and by foundational understanding. If you didn't do the training and labs, or if you don't have prior API pentesting experience you will fail. And if you cannot do those five challenges in six hours, while collecting evidence (screenshots, logging, code), you will fail.
Speaking of which: the reason why my reporting went so well, is because I ahdere to the most important lesson I learned from BHIS and John Strand: "Document as you go."
You will need to be picky about how you attack the challenges and you will definitely need to timebox. In my case the challenges were worth 20, 20, 15, 25 and 20 points and I need 80 out of 100 points to pass. Having said that...
The exam assignments are clear and complete, as is the list of requirements for your reporting. PDSO make it very clear how you will be scored and they give you every opportunity not to fail.
The team at PDSO are very responsive. Support for the training and exam are arranged via MatterMost and you will always find someone from the team online. If there's a technical issue, they will report on it very quickly and they will make good time in resolving the issues.
Having said that, I am surprised at the lack of community building on MatterMost. They have 2500+ students on there and the community chat is very quiet. And every time that someone does ask a question about course contents, they are immediately approached by someone from PDSO to tackle the question in DMs. There is no community building or involvement.
Then there's one final, big factor which I feel detracts from the professional value of the PDSO certifications: validation.
At no point before, during or after my exam was my identity verified. There is no proctoring, no session recording, nothing. My exam could have been done by anyone. I could have used any method of cheating and they would not know. My report could have been written by anyone.
This will automatically devalue the certification for prospective employers. Instead of relying on the certification body, the employer will need to apply their own bullshit detector to verify if the applicant actually has any API hacking experience.
Mind you, this is not unique to PDSO. APISec University have the same problem with their CASA exam which is unproctored, unvalidated and open book. I haven't taken APISec's ASCP yet, so I don't know if that's proctored.
...
About the CASP training itself? I liked it well enough and it did teach me quite a few new things. It's just that at a few points I really wish they'd gone more technically in-depth than they did. Don't get me wrong, they already go pretty deep on a lot of topics, but I wanted more. Case in point: I did two 6-8 hour deep dives on OAuth and on OAuth+OPA to really understand how a technical implementation in code would work.
It was time and money well spent!
kilala.nl tags: studies,
View or add comments (curr. 0)
2024-01-15 20:12:00
Almost a month ago, I did a deepdive on how OAuth really works, as part of my preparations for the PDSO CASP exam.
Well, it's time for another one! Because I really wanted to know how you would use OAuth in conjunction with OPA (open policy agent) to drive the access controls on your API and business logic.
I spent another six hours, watching videos and reading through sample code to put two-and-two together. Here's linkks to resources that really helped me.
kilala.nl tags: studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.