- Personal website of Tess Sluijter

Unimportant background
  RSS feed

About me

Blog archives























> Weblog

> Sysadmin articles

> Maths teaching

Trying out two certification exams: CASA and Cloud+

2024-02-02 07:28:00

In 2020 I took the CV1-003 CompTIA Cloud+ beta. Back then I wasn't really impressed with the quality of the exam. Well, it's time for the next version!

A few weeks ago I took CV1-004 for $50, to see if it's better than last time. Yes, but no. 

The questions on the new beta were more diverse than last time. And I still like the exam objectives / curriculum. But in general, I wasn't a fan of the exam questions. I know CompTIA often has questions where you're not supposed to think from real-life experience, but this time around it's really pretty bad. Know that meme of grandma yelling "that's not how any of this works!". Well that was me. 

Especially the PBQs felt like CompTIA were struggling to come up with something that works. And if I have to see one more white-clouds-on-blue-sky stock photo I'll scream. 

Jill West, an instructor on CIN, wrote it pretty eloquently:

"That was a bizarre exam. Only one of the PBQs really seemed appropriate to the test [...] Some other questions seemed like someone was looking at the objectives to write their questions but didn't really understand the concepts; they just used several items from the objectives as "wrong" answers when those options really weren't congruent with each other [...]"

So yeah. If there's a student interested in learning about cloud computing, I would suggest the read the materials, but I wouldn't suggest they'd take the exam.


After passing PDSO's CASP API security exam, I thought I'd look at some of their competition. I'm still going through APISec University's courses (which seem good), but I also gave their CASA exam a quick shot. 

In short: I will definitely recommend their training materials to students, but not the CASA. CASA is:

  1. 100 questions
  2. Open book
  3. Unproctored
  4. Untimed
  5. ... and it rings in at $125

Points 2, 3 and 4 unfortunately mean that, from an employer's point of view, the certification isn't worth much because there's no guarantee that whomever has it didn't cheat in some way. Basically my biggest critique of PDSO's exams as well (which has points 2 and 3, but not 4).

The questions on the test were well written, so that's something. They are a decent way for someone who's taken the APISecU classes to test themselves. And the potential employers will simply need to do better BS-testing in interviews. :) tags: ,

View or add comments (curr. 0)

Book recommendation: Microservice APIs, by José Haro Peralta

2024-01-21 15:21:00

In the months leading up to my PDSO CASP studies I read José Haro Peralto's "Microservice APIs". On and off, between classes and between other things I was learning. It's been a long read, but I can heartily recommend it. 

I can honestly say that José's excellent book is what taught me the most I now know about how APIs work! And it most certainly made a lot of things clear, which I also learned about in CASP. 

Before I read "Microservice APIs" I had a foundational grasp of how REST and SOAP APIs look from the outside, as consumer. I'd used OpenAPI specs, I'd read through WSDL files and I'd made API calls through HTTP. But I never really understood how it all worked on the server side. 

José's book makes all of that server side magic crystal clear!

The book explains foundational and deep technical aspects of building multiple interacting APIs, which together form the backend of an online coffee product shop. And José shows all of it! All the Python code to load the frameworks, to write the queries and to build the endpoints. All of the code needed for GraphQL and two different REST implementations. And even a bit of authentication and authorization! Heck, appendix C of the book turns out to have exactly what I was looking for when I wanted to learn about integrating OIDC and OAuth into the authorization checks of an API!

If you hadn't guessed yet: "A+ would recommend". tags: , ,

View or add comments (curr. 0)

PDSO CASP exam done! Let's review!

2024-01-21 11:22:00

Almost a month ago I started my studies for PDSO CASP, or Practical DevSecOps - Certified API Security Professional. That's a whole lot of words! 

I've taken two PDSO classes and exams before: CDP in 2021 and CTMP in 2023.

Yesterday I took the exam and boy-howdee! did I get off on the wrong foot! I thought I'd booked the exam to start at 0800, but when I was brushing my teeth at 0645 the exam instruction email arrived! My own fault and luckily I was at my desk in fifteen minutes... I didn't miss any time, I was just a lot less relaxed than I'd hoped to be. 

It was fun to do another hands-on hacking exam! Six hours of happy hacking! Having said that, I have one thing to nag about. 

The exam did not test anything new. PDSO themselves in their training materials always advise: (paraphrased) "if you do all the labs and take careful notes, you will do well on the exam". They said it with CASP, they said it with CTMP and with CDP. 

With CDP there was additional depth to the exam insofar that you needed to apply concepts that you had learned to new technology. For CASP that did not ring true. And I understand why PDSO took this approach. CDP was about implementing CI/CD pipelines, while CASP is about attacking (pentesting?) APIs. And one does not "simply pentest" five different APIs in six hours time. 

In my feedback to PDSO (and I gave plenty of it) I suggested that they could make a proper competitor to APISecU's ASCP exam by creating a second, longer and more in-depth exam. If PDSO made CASE (certified API security expert) which lasts twelve hours and has you do proper recon and attacking, I'd be all over that!

In essence the difficulty level of PDSO CASP is not defined by the technical challenges, but by time management and by foundational understanding. If you didn't do the training and labs, or if you don't have prior API pentesting experience you will fail. And if you cannot do those five challenges in six hours, while collecting evidence (screenshots, logging, code), you will fail. 

Speaking of which: the reason why my reporting went so well, is because I ahdere to the most important lesson I learned from BHIS and John Strand: "Document as you go."

You will need to be picky about how you attack the challenges and you will definitely need to timebox. In my case the challenges were worth 20, 20, 15, 25 and 20 points and I need 80 out of 100 points to pass. Having said that...

The exam assignments are clear and complete, as is the list of requirements for your reporting. PDSO make it very clear how you will be scored and they give you every opportunity not to fail. 

The team at PDSO are very responsive. Support for the training and exam are arranged via MatterMost and you will always find someone from the team online. If there's a technical issue, they will report on it very quickly and they will make good time in resolving the issues. 

Having said that, I am surprised at the lack of community building on MatterMost. They have 2500+ students on there and the community chat is very quiet. And every time that someone does ask a question about course contents, they are immediately approached by someone from PDSO to tackle the question in DMs. There is no community building or involvement. 

Then there's one final, big factor which I feel detracts from the professional value of the PDSO certifications: validation. 

At no point before, during or after my exam was my identity verified. There is no proctoring, no session recording, nothing. My exam could have been done by anyone. I could have used any method of cheating and they would not know. My report could have been written by anyone. 

This will automatically devalue the certification for prospective employers. Instead of relying on the certification body, the employer will need to apply their own bullshit detector to verify if the applicant actually has any API hacking experience. 

Mind you, this is not unique to PDSO. APISec University have the same problem with their CASA exam which is unproctored, unvalidated and open book. I haven't taken APISec's ASCP yet, so I don't know if that's proctored. 


About the CASP training itself? I liked it well enough and it did teach me quite a few new things. It's just that at a few points I really wish they'd gone more technically in-depth than they did. Don't get me wrong, they already go pretty deep on a lot of topics, but I wanted more. Case in point: I did two 6-8 hour deep dives on OAuth and on OAuth+OPA to really understand how a technical implementation in code would work. 

It was time and money well spent! tags: ,

View or add comments (curr. 0)

Learning more about OIDC, OAuth and OPA

2024-01-15 20:12:00

Almost a month ago, I did a deepdive on how OAuth really works, as part of my preparations for the PDSO CASP exam. 

Well, it's time for another one! Because I really wanted to know how you would use OAuth in conjunction with OPA (open policy agent) to drive the access controls on your API and business logic. 

I spent another six hours, watching videos and reading through sample code to put two-and-two together. Here's linkks to resources that really helped me. tags: ,

View or add comments (curr. 0)

Why can't vendors just make practice exams, just like the real thing?

2023-12-31 13:29:00

On Discord someone asked why it's so hard for vendors to "just" make practice exams that are just like the real thing? To them, it seemed like an obvious market gap! And to be honest, who wouldn't want a proper test run while prepping for Security+, LPIC1 or even CISSP?!

Now, I'm no expert, but here's what I told'm...

Most importantly it's because you absolutely have to blackbox the practice exam creation. There can never be any doubt whatsoever that you as vendor stole copyrighted materials or that you lifted questions and concepts from the official materials.

You have to have proof of your process and show that none of your personnel have ever taken the real exam. This means you have to hire a group of SMEs (subject matter experts) and have them create a testbank of 2000+ questions which cover all of the exam objectives for that one exam. But they're not allowed to look at official materials ever; possibly not even the objectives themselves.

And then you have to do that ten-or-so times, to cover all the exams. So basically at that point, you are making a brand new exam and you're competing with Linux Foundation, LPI, ISC2, CompTIA, etc.

It costs a huge amount of money.

Since we're in an IT forum I can safely point you towards this, which is strikingly comparable... Look into how Compaq reverse engineered the IBM PC BIOS, so they could make IBM PC compatible devices. Very similar.

For the exam questions, taking the Compaq analogy, it would mean that you need to have a team that creates a very precise set of requirements and design decisions. Theoretically they could look at what CompTIA and other vendors do.

Then you would need that second team of actual SMEs to write those hundreds or thousands of questions, based on the specifications written by the first team.

And then possibly, you could get exams which are very close to what CompTIA does. tags: ,

View or add comments (curr. 0)

Learning about OAuth

2023-12-27 20:33:00

OAuth is a topic that has popped up a few times in my certification studies (Security+, CISSP, CSC210), but in none of those cases the curriculum went in-depth on how it works. As in really, how do you implement it, what does it look like in action? 

I'm currently going through PDSO's API security training, preparing for the exam. OAuth gets about twenty minutes of video in there and they do a relatively good job of explaining. But yet again, there's still a lot of details missing. 

Today I spent five or six hours reading through the resources below, making a huge stack of flash cards so I can refresh what I learned at a later point in time. 

For those who might struggle a bit with OAuth and how it would be implemented in code, here's an absolutely great example of a Javascript SPA (single-page app).

I then also read:

I also had no clue whatsoever about how those links worked, where you do something in a browser and it pops up an app on your smartphone, tablet or computer. I learned that's called app deep linking and it's something that's both really cool and that's had its share of vulnerabilities as well. This was a great read which taught me how the URI schema for app deep links work and how they can be attacked. 


Oh my gosh, the folks at Curity made a great 8-part mini training that introduces OIDC and OAuth. Parts 7 and 8 perfectly explain 90% of what I wanted to know when I started my research. tags: ,

View or add comments (curr. 0)

CompTIA ITF+ exam

2023-12-03 11:01:00

After my frustrating start with the exam check-in (started at 08:15, finished at 09:00), I did get to do the CompTIA ITF+ (IT Fundamentals) exam. 

Tess? Why do this most entry-level of junior exams? Two reasons:

  1. I'm test-running it for my students at ITVitae, to see if the curriculum and exam are decent.
  2. I've built a webshop selling heavily discounted CompTIA vouchers and wanted to test the payment process, by buying the cheapest voucher.

So what did I think? 

I like the curriculum / objectives. They cover a wide range of topics, which I feel most people in IT should really be familiar with.

The exam itself was decent, though I'm not a huge fan of how a lot of the questions were worded. In some cases the grammar felt a lot more clunky than I'm used to from Linux+, Pentest+, etc. 

I scored much lower than I'd expected! The range is 100 - 900 points, with a pass at 650. I scored 730, which suggests that I misread questions or that CompTIA wanted me to think about a question differently. Plus, I do believe that one or two questions, I got tripped up by the very weird wording. 

Do I think ITF+ is worth it for the most junior students I will be teaching? Yes, the curriculum is worth it. But I do feel that the exam might be a bit frustrating for them. tags: ,

View or add comments (curr. 0)

My first real frustrating encounter with OnVue remote testing

2023-12-03 10:46:00

Two screenshots of a photo app

Today I took CompTIA's ITF+ exam at my office, using PearsonVue's OnVue testing software. This has gone wel for me 10+ times, but today it didn't. 

What changed? I used a desktop Mac instead of my usual laptop. What else went wrong? The check-in process. 

Let's start with that last one: the check-in process.

This has gone perfectly well for me 10+ times. You visit on your smartphone, you enter the exam ID and you go through the wizard to take photographs of yourself, your ID and the room. 

The big problem is that the "shutter" button to take the photograph went missing. It was impossible to take the photo.

In the screenshot above, you will see that:

This made it impossible to photograph my ID and to proceed with the check-in. 

I contacted the PearsonVue support team via chat and they did not understand my problem. They asked for error messages, or told me to use my phone (I was), or told me to try my laptop (I didn't have one). 

Why use a laptop? There is a secondary method of taking the photos inside the OnVue exam app itself. It uses your computer's camera for the photographs. This would have worked to some degree, were it not that I was using a desktop PC with a wired camera. 

Plus it turns out that the Logitech 720p camera I have is not good enough to take these pictures as it has fixed focus. 

After a lot of back and forth with support, I accidentally found out (by flicking the screen on my phone) that the camera shutter button is in fact on the ID page, but it's out of view. You have to scroll the layer with the overlay. That was 200% un-intuitive. 

Later on I was also informed that my Wacom pen-tablet is not a permitted peripheral; that was on me, I should have know. Quickly switched to an old mouse.

Lessons learned from todays OnVue exam:

The rest of the exam, after checkin? Zero technical problems. I'll write about ITF+ separately. tags: ,

View or add comments (curr. 0)

Older blog posts