In late 2019 I completed the requirements for the Offensive Security Certified Professional certification. It was challenging and a bit more stressful than the eCPPT examination I’d passed before this. It was 24 hours of trying to break into systems that sometimes lead you down a wrong path and ate into your examination hours. The OSCP certification is difficult but it’s really aimed at using the tools of the trade, following a process they provide you and just understanding scripts and tools that you are running. There may be an element of changing scripts to fit needs, it needs that basic understanding of reading code what some might call script kiddy level.
October 2020 I decided to take on the OSWE after going through the AWAE materials that I’d had since the beginning of the year (minus the online boxes to attack). It was genuinely a different level of difficulty and it relies on a lot of self-learning. It was the closest I have been to not completing an examination as it was just so hard to make progress at times. The goal here is very much reading code, understanding what it’s doing and why it might not be doing it in the best way. It also has elements with using encryption, hashing and encoding which is required in the automation of your scripts that you write. It’s necessary to make use of Burp Suite on this and then converting web requests into something you use in your code. I can’t give too much away but suffice to say it’s not easy. After handing in I genuinely thought I’d failed… but I was delighted to see a few days later I’d passed!
OSCP and OSWE are different beasts in terms of expectations and level. OSWE really does require an understanding of code, injection, encryption, writing these into scripts and most importantly automating the full exploit process – end to end to pop a shell. If you do anything developer related then OSWE would be good to have, it covers a lot of the OWASP top ten throughout the course.
I am delighted with passing both but I definitely value the OSWE more as it’s definitely an advanced level certification. Because of cost, time investment required & having a little baby to entertain there will be no more Offensive Security certifications for a while!