Hacker News new | ask | show | jobs
by beardedwizard 2147 days ago
I do not value CEH or OSCP at all. The candidate will need to demonstrate they can apply that skill against a real world situation. I wont be more likely to interview you by having these on your resume, but it may help a recruiter put it in front of me (though I will never tell them to look for these keywords)
4 comments
Izmaki 2147 days ago
GekkePrutser: > Good!! That's the right approach. I also think these certifications are forcing students to think in the direction intended by the underlying company, whereas hacking is about looking for the unexpected. It's about mastery of technology, not about ticking some boxes and knowing command-line parameters of common tools by heart.

CEH is box ticking. OSCP is breaking into stuff. That hacking is about "mastery of technology" I don't agree with. The latest major vulnerabilities identified this month were very low hanging fruits, and I bet you there's still way too many unpatched instances of BIG-IP, NetScaler and Windows DNS out there right this moment. ...two of which have available POCs online for any scriptkiddie to get their hands on. If not all three... the researchers who found the Windows DNS vulnerability have agreed to hold their horses for a while, letting admins patch their systems before releasing all details.

Latteral movement in an Active Directory environment is trickier than looking up a version number and trying your luck with a POC, sure, but you give too much credit to hackers, man. :P

link
Izmaki 2147 days ago
> See my earlier comment regarding the relative strength of candidates with OSCP.

Have you been through the course and exam yourself, or are you basing this on something else? If you've been through the experience, which parts of it contribute to you not valuing it?

link
beardedwizard 2147 days ago
I have not, and have no plan to take OSCP - though im familiar with it.

I'm relating the facts about candidates who applied to my roles with OSCP certifications. I did not hire any of them.

I do not specifically dislike OSCP, its that I do not value any of the certs merely because someone possesses them.

Certs are a marginal signal to me about your potential for discipline, may inform how deep I go on questioning, and thats it. Conversely, certs may lead to bias, particularly for some very lame ones.

I don't think it's very fair to weight letters on a resume so heavily, it's about what you can do in the role I have for you.

Having them is not something that will make a big difference to me.

link
Izmaki 2147 days ago
> The candidate will need to demonstrate they can apply that skill against a real world situation.

I thought this is exactly what holders of the OSCP certificate has demonstrated during the exam?

link
beardedwizard 2147 days ago
Im less interested in someone else telling me you can do it, and more into you demonstrating you can do it in a situation I care about.

See my earlier comment regarding the relative strength of candidates with OSCP.

link
GekkePrutser 2147 days ago
Good!! That's the right approach. I also think these certifications are forcing students to think in the direction intended by the underlying company, whereas hacking is about looking for the unexpected. It's about mastery of technology, not about ticking some boxes and knowing command-line parameters of common tools by heart.

Indeed there is a major issue with HR focusing too strongly on certificates because they lack the knowledge to evaluate a candidate any other way.

link