PDSO CASP exam done! Let's review!

2024-01-21 11:22:00

Almost a month ago I started my studies for PDSO CASP, or Practical DevSecOps - Certified API Security Professional. That's a whole lot of words! 

I've taken two PDSO classes and exams before: CDP in 2021 and CTMP in 2023.

Yesterday I took the exam and boy-howdee! did I get off on the wrong foot! I thought I'd booked the exam to start at 0800, but when I was brushing my teeth at 0645 the exam instruction email arrived! My own fault and luckily I was at my desk in fifteen minutes... I didn't miss any time, I was just a lot less relaxed than I'd hoped to be. 

It was fun to do another hands-on hacking exam! Six hours of happy hacking! Having said that, I have one thing to nag about. 

The exam did not test anything new. PDSO themselves in their training materials always advise: (paraphrased) "if you do all the labs and take careful notes, you will do well on the exam". They said it with CASP, they said it with CTMP and with CDP. 

With CDP there was additional depth to the exam insofar that you needed to apply concepts that you had learned to new technology. For CASP that did not ring true. And I understand why PDSO took this approach. CDP was about implementing CI/CD pipelines, while CASP is about attacking (pentesting?) APIs. And one does not "simply pentest" five different APIs in six hours time. 

In my feedback to PDSO (and I gave plenty of it) I suggested that they could make a proper competitor to APISecU's ASCP exam by creating a second, longer and more in-depth exam. If PDSO made CASE (certified API security expert) which lasts twelve hours and has you do proper recon and attacking, I'd be all over that!

In essence the difficulty level of PDSO CASP is not defined by the technical challenges, but by time management and by foundational understanding. If you didn't do the training and labs, or if you don't have prior API pentesting experience you will fail. And if you cannot do those five challenges in six hours, while collecting evidence (screenshots, logging, code), you will fail. 

Speaking of which: the reason why my reporting went so well, is because I ahdere to the most important lesson I learned from BHIS and John Strand: "Document as you go."

You will need to be picky about how you attack the challenges and you will definitely need to timebox. In my case the challenges were worth 20, 20, 15, 25 and 20 points and I need 80 out of 100 points to pass. Having said that...

The exam assignments are clear and complete, as is the list of requirements for your reporting. PDSO make it very clear how you will be scored and they give you every opportunity not to fail. 

The team at PDSO are very responsive. Support for the training and exam are arranged via MatterMost and you will always find someone from the team online. If there's a technical issue, they will report on it very quickly and they will make good time in resolving the issues. 

Having said that, I am surprised at the lack of community building on MatterMost. They have 2500+ students on there and the community chat is very quiet. And every time that someone does ask a question about course contents, they are immediately approached by someone from PDSO to tackle the question in DMs. There is no community building or involvement. 

Then there's one final, big factor which I feel detracts from the professional value of the PDSO certifications: validation. 

At no point before, during or after my exam was my identity verified. There is no proctoring, no session recording, nothing. My exam could have been done by anyone. I could have used any method of cheating and they would not know. My report could have been written by anyone. 

This will automatically devalue the certification for prospective employers. Instead of relying on the certification body, the employer will need to apply their own bullshit detector to verify if the applicant actually has any API hacking experience. 

Mind you, this is not unique to PDSO. APISec University have the same problem with their CASA exam which is unproctored, unvalidated and open book. I haven't taken APISec's ASCP yet, so I don't know if that's proctored. 


About the CASP training itself? I liked it well enough and it did teach me quite a few new things. It's just that at a few points I really wish they'd gone more technically in-depth than they did. Don't get me wrong, they already go pretty deep on a lot of topics, but I wanted more. Case in point: I did two 6-8 hour deep dives on OAuth and on OAuth+OPA to really understand how a technical implementation in code would work. 

It was time and money well spent!

kilala.nl tags: ,

View or add comments (curr. 0)