I took the plunge on May 10th and took the CompTIA Advanced Security Practitioner beta exam. It was quite more difficult than the Security+ exam and the SSCP exam, but not as difficult as the CISSP exam, but I’d say that if it becomes successful, it will be compared to the CISSP quite often.
It was 92 questions and I had 135 minutes to complete it. In comparison, the Security+ is 100 questions and you have 90 minutes to complete it. In other words, you have about 1 1/2 minutes for each question compared to about 54 seconds for each Security+ question.
However, the questions vary wildly. Some were simple one sentence questions. Others were multiple sentences with several bullets of requirements you needed to understand. Some were single answer, others multiple answer. Some included drag and drop questions and others included complex simulations.
First kudos to CompTIA on some of the drag and drop and simulations. They worked, and they required some thought. One provided very little direction, but it effectively tested your knowledge of several important concepts. I was reminded of how many people shun the command line but if you didn’t know basic command line commands, you’ll be stymied. (If you want to brush up on the command line, check out this book for Windows 7 commands.)
I have no idea how these questions will be graded though so wonder how subjective the answers are on these simulations. For example, you could choose to put a NIPS on the Internet side of a firewall, or on the internal side of the firewall. It depends on your goals on which one is best. However, if only a single answer is correct based on what the author’s thoughts were, you may not get credit for your answer. Hopefully the CompTIA subject matter expert workshop in June 2011 will address the fact that there may indeed be more than one correct answer. (I also hope they address the need for another editing pass to ensure that words aren’t missing from questions, bullets are presented consistently, and more white space is used so that it’s easier to read the questions).
The exam covers a wide range of knowledge. I’ve worked as a network administrator, a systems engineer, a project manager, an application developer, and more. This exam tests knowledge in all of these arenas, and more.
For me, it helped that I’ve authored several security related books in the last couple of years. These books included many topics that were helpful to me for the CASP exam. Here are a couple of examples:
- CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide – Some of the CASP knowledge is from Security+. If you’ve mastered the knowledge in Security+ (not just memorized it), it’ll help. For example, simple knowledge about vulnerability testing and penetration testing and the purpose of each is valuable. Penetration testing includes vulnerability testing, but also attempts to exploit the vulnerability.
- SSCP Systems Security Certified Practitioner All-in-One Exam Guide – Several of the topics from the SSCP exam crossed over into CISSP. It’s valuable to understand basics about calculating the usefulness of controls based on their costs. For example, if a maintenance contract averages $5,000 in costs a year, but you can buy a part for $1500 and not need the contract, what should you do? (Buy the part and cancel the contract.) You should also understand the differences between white box, black box, and gray box vulnerability testing where white box testing is done by an insider with full knowledge of the system, black box testing is done by an outsider with zero knowledge about the system, and gray box testing is done by someone with some knowledge about the system.
- Microsoft Windows Security Essentials – Some topics included in the CASP exam were covered in this basic book covering the MTA 98-367 exam, such as the familiar CIA triad. Confidentiality prevents unauthorized access and is enforced with access controls and encryption. Integrity verifies data is not modified and is enforced with hashing, digital signatures, and audit logs. Availability ensures that systems and data are available when needed and includes redundant and fault tolerant components such as RAID and failover clusters.
In summary, this exam isn’t a cake walk. It goes into depth into several different IT disciplines. However, since it does cover so much, if you’re able to earn it, it does show you have quite a broad range of knowledge related to IT and security. Time will tell on how valuable it is. Time will tell if I passed it too since I won’t learn if I passed or not until the fall.
Best of luck in all of your adventures.
I heard from CompTIA on September 15th. They let me know that I passed.