A few weeks after I signed up for Cracking the Perimeter (CTP), CTP was retired. Some infosec friends thought I got the short end of the stick, because the course content had not changed in a long while. That is half-true; newer exploit development techniques are now in the while, and CTP only covers the elementary details. I won’t spend time reviewing a retired course, but if you would like, Jack Halon writes a rather animated, good review on it.
Many friends have differing opinions of certifications. Some think that certifications are an alphabet soup — the more you collect, the more you can write on your namecard to brandish qualifications. That’s true only to a point when some alphabets are merely superfluous. Some think they are useless; they take the side that, if everything is open-source knowledge, why pay for extra alphabets and a certificate? What did I think of certifications? Here is my convoluted story.
Initial failures taught me perhaps the greatest lesson in infosec — humility. Humility, not passion, is to me, the defining factor in achieving a minimum level of success in offensive infosec. How much humility is required? Morten Schenk’s (blomster) words in someone’s OSEE review that remains the most meaningful quote I have read in my infosec career so far:
Essentially, no certification I can get, ever, can be proof I will know everything. There is no such holy grail. So the certificate is simply a measure of my own progress, learning journey, and more importantly, how much of the world I have seen.
This was why I decided to take the OSCE after all even though it was not the most updated of courses. At the least, I could get away realising that I have seen exploit development basics like ASLR, SEH and writing some ASM. Maybe the dream to conquer the pinnacle is still alive.
Many of us in infosec begin in it with some passion. Some of us broke systems since a young age. Some were lucky enough to be nurtured from young to become top 1337 hackers in their home country. I was none of these; my first foray into infosec formally was at the age of 25. Clearly I am unlikely to beat prodigies who got their OSCP at age 16. But I think I can look back, when I hit 30, that I have managed to achieve something relatively modest — being able to do infosec work, contribute to the open-source community and claiming quite a few Offsec certifications in the process.
On a more philosophical note (and something my infosec friends, I admit, may not think too hard about), I realised my privileges, because I managed to succeed this transition. As an infosec professional, I see a rose-tinted view of the world that labour supply is lean, and there seems to be an endless amount of digital infrastructure and applications that require cybersecurity services, which means plenty of jobs. Yet, on the other hand, I also read of peers my age who are living on tightrope thanks to COVID-19, which decimated industries that could not become resilient by going digital. I could have become like that if not for a stroke of my luck, since I never even planned for the infosec journey to begin with.
What I think I have done might be somewhat miraculous. For me, the OSCE was never about the alphabet soup; it was about conquering my own infosec objectives. I have never thought the journey would have been this fruitful. To all the infosec friends who I have met along the way, I thank you for creating sparks, and the luck to let me make it. Now I should think how to pay it forward as well, now that I have, through a few years of experience, a slightly less blind view of infosec.