GIAC is launching a new certification for developers and application security professionals involved in defending web applications. As the author of the corresponding course DEV522, I was invited to beta test the exam. So, while I have a related interest, this isn't my baby. This certification exam is fantastic - it is tough. To pass you need to synthesize different skills and knowledge regarding how to defend web attacks against hackers' attacks.
The GWEB certification questions are technically oriented, scenario based, and really give your mind a workout. They test your skills, experience and depth of understanding. These are not your run of the mill multiple choice questions like "What is the definition of ?insert buzzword of the day'?". The questions test your knowledge with scenarios on specific vulnerabilities and options on how to fix or test them. There is also a complete listing GWEB certification topics online.
I am sure someone will ask: "Is this meant to be the end-all, be-all application security certification?" Of course, the answer is "No". This cert isn't a silver bullet. It proves that you have mastered the technical skills and that you have the knowledge to design, build and review applications to make sure that they are defensible. We're always learning new skills, but this cert proves you are competent. If nothing else, simply preparing for the exam will help to broaden your base of knowledge or reinforce things that you already know. You and your organization will be better for it.
In case you are wondering, I passed the exam (whew...would be embarrassed if I didn't). The questions were not easy but not too difficult either. My estimate is that if you have been in the application security field for at least three years and have stayed on top of some of the more recent security developments around AJAX, clickjacking, etc then you will be able to pass the exam. However, you'll need to read the questions very carefully. Shameless plug: DEV522 Defending Web Application Security Essentialsis an excellent way to prep for the exam. The good news for you and for bosses looking to attract the right talent or to train the current team is that a passing grade on this certification truly means the individual knows how to Defend Web Apps. GWEB is the only cert out there to prove you have these skills.
If your role involves preventing a web application from being hacked then the GWEB certification is for you!
