Open source software security

CEPT Practical

30 November -0001

The Certified Ethical Penetration Tester (CEPT) certification is sponsored by the IACRB (Information Assurance Certification Review Board). The certification is a two part process. The first part is a 50 question multiple choice exam. You have to get 70% correct to pass that part. Once you've passed the multiple choice you're given a three part practical to complete in 60 days. The practical is advertised to consist of discovering and creating working exploit for a Windows vulnerability, discovering and creating a working exploit for a Linux vulnerability and reverse engineering a Windows binary.

I just completed the practical part of the exam and I have to say I am extremely impressed with the CEPT certification process. I found the multiple choice test to be pretty easy, and probably wouldn't be too tough for anyone who has spent significant time in the computer security field. Some of the questions are tools specific though, so unless you've run the tools or taken a training class you might not get those questions correct.

I'm normally not a fan of certification. To be honest, in most cases getting a certification requires memorizing answers to questions and regurgitating them on an exam. You don't really have to have any working knowledge to get most certifications.

The CEPT, because it includes the practical, is probably the most worthwhile certification I'm aware of. The practical is *hard*. From the EACRB website: "You are not formally required to have experience in the field in order to take the CEPT certification. Do realize that by design the CEPT focuses on and tests your ability to apply your knowledge and skills in practice. You will have a much easier time with the certification process if you've spent some time working with the tools and technology."

The practical was, in all honesty, harder than some of the exercises I had to complete in a graduate level computer security course at an ivy league university. Most exercises of this type are pretty straightforward - like find the buffer overflow and exploit it. Because the CEPT practical simulates real world environments, finding the vulnerability is only about 25% of the challenge. The exploit was never straightforward. For instance, you might find a buffer overflow, but it might be caused by a function that is only called by another function which manipulates user input in some way. This means you have to carefully inspect the movement of data in memory to track how user input is passed from one function to another. Then, once you figure out how the data is being handled, you have to find out how to manipulate it to take advantage of a vulnerability. In many cases the target program was fragile too, so messing up would crash the target.

Needless to say I spent a lot of time in front of a debugger and made heavy use of a virtual machine target. Getting familiar with the technical tools (like a debugger or a binary disassembler) took a lot of the time. The practical took me several weeks to finish, and none of the exercises were as simple as they first appeared.

I don't have any numbers on how many people have a CEPT certification or how many people even take the exam. I have heard that only a small portion of people who pass the multiple choice exam even submit the practical, so I can only imagine there aren't many people who are certified.

Despite the fact that this isn't a widely known certification I would highly recommend it. Given my experience I think it's one of the few certifications that truly speaks to a persons ability. Anyone who can finish the practical must understand at a fairly complex level how vulnerabilities work. At the very least you can know they are intimately familiar with x86 memory architecture and assembly code.

I would highly recommend the CEPT certification for anyone who is serious about penetration testing or computer security. The ability to locate vulnerabilities and develop custom exploit code speaks very highly to a persons skill and working knowledge. I really have to hand it to the folks at IACRB for developing a truly worthwhile certification process.

Now I'm just keeping my fingers crossed and hope I pass ;)