Earning my GWEB Certification – SANS2013 and Test Prep

This past spring I attended the SANS2013 Conference at the Marriott World Center in Orlando, to sit for their DEV522 class; Defending Web Applications Security Essentials.  This class is meant to prepare the student for the GIAC Certified Web Application Defender (GWEB) Certification exam.

SANS2013

This was the second SANS event that I’ve attended.  The first was SEC401, to prepare for my GSEC certification.  I was so impressed with the training and the event, I knew that I would be back.

Upon arrival at SANS2013, I checked in and was issued my bag of six books, one for each day.  The DEV522 class was much smaller than the SEC401 class that I took in 2011.  It was taught by Johannes Ullrich and the courseware was written by Jason Lam.  The OWASP Top 10 is the core in which the entire course it built around.  Labs were littered throughout the coursework, to drive home concepts and test your ability and understanding of topics.

With my background in web development, nothing was “ground breaking”, but everything was interesting nonetheless.  I never felt bored.  I would definitely recommend it to other Application Architects and Developers.

The course lasted six days, all day, except for the final day.

Studying/Preparations for the Test

Surprisingly, during the DEV522 class, I took few notes.  But there were times throughout the course that I “picked up on” the significance of a topic from the instructor.  In these cases, I made notes in the margin and/or highlighted the terms to further research.

After the SANS2013, I began a formal indexing of the book.  Each day, I would try to work through approximately 1/2 of a book, adding all keywords and topics in to an Excel spreadsheet.  In addition to referencing the book and page number of the topic, I would add notes that could be useful for quick reference.  In addition to the detailed index, I created a basic table of contents of the six books.  Once completed, my detailed index was 32 pages and the table of contents about five.  The image to the right shows the difference between this course’s courseware (on left) and SEC401 (on right).

SANS also provides MP3s of the course.  In the case of DEV522, the audio was of Jason Lam teaching the course.  So on my daily commutes and while at the gym, this is what I listened to.  Honestly, many of the topics were more easily understood by Jason’s teaching.  All in all, the audio was very useful.

Like I did with the GSEC test, I bound all of my indexes in a three ring binder along with some the following cheat sheets:

• IPv6 (via PacketLife)
• ASCII Conversion
• HEX-Decimal Conversion Cheatsheet (my own creation)
• Common Port Reference (via PacketLife)
• IPv4 Subnetting (via PacketLift)
• HTTP Status Codes (via Authority Labs)
• ReqExp
• IPsec (via PacketLife)
• OWASP Top 10 Publication
• OWASP XSS Prevention
• OWASP SQL Injection Prevention

I did not repeat any of the labs in preparation.

Practice Tests

Once I felt reasonable confident in my organization of the information, I took a practice test via the SANS website.  The SANS practice testing interface is basically exactly the same as the actual test.  The only difference is that during the actual test, you are not provided explanations when you answer a question incorrectly.

My goal, was that if I scored an 85 or above on my first test, I would immediately schedule the actual test.  I ended up scoring a 80%.  During the test I made sure to note topics that I needed further studying/understanding of and to annotate shortcomings in my indexes.

A few days later I took the second practice and scored a 90.67%.  It seemed like the 2nd practice test repeated about 20-30% of the questions from the 1st.  Seeing this, I figured I had this test in the bag, so I scheduled the test.

Actual Test

After signing into the testing center, I sat down and began the test.  I went through the first 10 questions or so, and not a single question repeated from the practice tests.  This proved true for the entire test, showing that SANS needs to add more questions to their practice test pool.

I finished the test in just under two hours, scoring a 90.67%.  Believe me, this test is not easy.  You either know the topics or not.

Summary

Unlike some of the other GIAC test which are just facts, this test evaluates your knowledge and understanding of what is taught. There are many “situational” type questions that give you a big picture overview of a scenario and you have to pick the best answer, taking cost and benefit into account.  Most of the questions I didn’t have to lookup, but often did, just for validation of my understanding of a concept.

Of all of the preparation that I did, the following is my rank of value (to me)

• 10 – DEV522 Course: The class is well worth it.  You can do online or in person.  I’d recommend the later.
• 9 – DEV522 MP3s: While not adequate for the initial course, it was excellent for review and to hear another instructor teach the same material.
• 9 – Practice Test #1: The first test really shows you how well you prepared
• 8 – Detailed Index: While not as valuable as in other courses, it still got used
• 8 – Cheat Sheets: I used everyone listed above, except the OWASP ones
• 5 – Practice Test #2: While beneficial, it repeated far too many questions to be critical.
• 1 – Table of Contents: Used once, during one practice test
• 0 – OWASP Publications – The course work covers them more than enough to prepare and take this test.

My advice to others interesting in the GWEB exam;  ensure you have an enterprise level understanding of the web application environment before attempting this test.  A developer who works in a vacuum or security personnel without any programming experience are going to have a tough time.

The class was definitely worth the time.  I think it sets the stage for my next SANS class SEC542 Web App Penetration Testing and Ethical Hacking.