2023-01-16 07:20:00
In early 2021 I needed to learn about DevSecOps and CI/CD and I needed it fast. A crash course if you will, into all things automation, pipelines, SAST, SCA, DAST and more. I went with PDSO's Certified DevSecOps Professional course, which included a 12h hands-on exam.
Here's my review from back then, TLDR: I learned a huge amount, their labs were great, their videos are good, their PDF was really not to my liking.
Since then I've worked with a great team of people, team Strongbow at ${Bank}, and we've taught over a thousand engineers about PKI, about pentesting, about API security and about threat modelling. So when PDSO introduced their CTMP course (Certified Threat Modelling Professional) I jumped at the chance to formalize my understanding of the topic.
My review of the training materials is going to be very similar to that of CDP:
- The videos for this training were good. I watched all of them at 1.5x or even 1.8x speed because the teacher speaks calmly and clearly.
- The curriculum is solid, I learned a lot! The course covers more than "just" threat modelling and is certainly does not have the pitfall of getting stuck discussing ten different methodologies.
- As before, I hate the PDF. The PDF literally consists of the slides used in the training, each slide having its own page and being accompanied by the literal text spoken by the trainer. This could have been okay, were it not for the huge watermarks and the huge amount of white space because of the page breaks for every slide + text.
- The labs were good too, although it might feel weird. Less than 25% of the labs actually need the online component (because of tools you run). The rest start a terminal and then tell you to slide the window aside so you can read the research assignments. And that makes sense: this may be a technical exam, but it's not about hands-on tech!
I took the exam yesterday and it was great, better than I expected!
- PDSO say that the exam is six hours, allowing a further twentyfour to write and submit your report.
- Me, I say it's a thiry hour exam: there's is zero need for their online lab environment as the exam mostly consists of research and essay writing. Yes you will need to do technical hands-on work, but you can do it on a local VM.
- The five challenges I got for my exam were in-depth and thorough; each consisted of multiple sub-tasks with unique research questions of their own.
- The exam experience was great, exactly as their documentation had told it would go: join the Slack server before your exam window, you'll get an email with all instructions within the first fifteen minutes of your exam, you get the allotted timeframe of online labs and then you work on your report.
- From start to finish, the exam took me fourteen hours: eleven for all the research and work, three to compile all my notes into my report template.
- One thing that I did find odd is that there was zero verification of my identity. No passport check, no quick webcam chat, nothing. It could have been anyone taking my exam. Yes there's academic honesty and yes, I'm an ethical person, but not everybody is.
For anyone looking for tips to take the CTMP exam:
- The instructions documentation and FAQ about the exam are very thorough. You should read them both, multiple times. There is no chance of submitting the wrong results if you follow the instructions.
- Document as you go. This has been true for any of the practical hands-on exams that require reporting (OSCP, CRTP, CDP etc) and it's true here. You will do 90% of your report writing while you work.
- Spend the first half hour, re-reading the exam instructions and all the challenges. Determine your skill gaps and make a plan accordingly. In my case, I determined that I would work in the order 5, 4, 3, 1, 2.
- Keep track of the time and timebox your challenges. Yes, the CTMP exam doesn't need the online lab time, but it's best to keep to this best practice. It prevents you from getting stuck on an assignment, blocking the others.
kilala.nl tags:
work,
studies,
View or add comments (curr. 0)
