Book an appointment
Knowledge base

Rabbit holes and white hats – OSCP and OSWA data security certifications are earned through hard work and expertise

A man in a dark hoodie sitting at a white desk in front of a large screen with code

Pinja’s Technical Project Manager Jesse Ikola has been particularly interested in data security throughout his career. He is currently completing the OSWA data security certificate in web application penetration testing, which complements the OSCP certificate he obtained earlier. Flexible career paths within Pinja have enabled Jesse’s journey from coder to project manager, now with an increasing focus on security specialist roles.

At Pinja, a builder of a digital society, data security is at the heart of business, and a common concern for all employees. The skills of all staff are at a high level, but there are also experts who are particularly passionate and dedicated to data security. One of them is Jesse Ikola, a technical project manager and data security expert based in Seinäjoki.

A large part of Pinja’s projects are specifically web-based solutions, so OSWA, which focuses on web applications, is a great package for both internal and client security testing.

Jesse’s interest in data security was sparked early in his career. At first, he studied more on the subject on his spare time, but with Pinja he has been able to benefit from Pinja’s training pledge, and continue his studies as part of his work. Every Pinjan has the opportunity to spend 10 days a year developing their skills and professionalism.

- I’ve been interested in data security for a long time, and in recent years I’ve used Pinja’s training days for it. I have already completed the OSCP data security certification, earlier this year I obtained the DevSecOps certification, and I am currently completing the OSWA certification, Jesse says. He shares his DevSecOps knowledge in his recent blog post, where he gives tips on how to take care of the information security of organizations in the manufacturing industry.

According to Jesse, the security certificates, combined into a comprehensive package, provide a good refresher on what he has already learned, but also updates and deepens his knowledge. A large part of Pinja’s projects are specifically web-based solutions, so OSWA, which focuses on web applications, is a great package for both internal and client security testing. Certificates are also a reliable way for the client to ensure that the person has the necessary skills.

- The OSWA certificate is useful for any testing involving a cross-browser application or, for example, an interface used by browser applications. In addition to being a good refresher on the techniques studied in OSCP, the course covered web techniques at a much deeper level. For our clients’ projects, I could also recommend this package to colleagues, or even someone who wants to get into the industry, says Jesse.

Penetration testing

  • Penetration testing is a security audit that aims to identify potential vulnerabilities in information systems or applications from an attacker’s perspective. 
  • It simulates real attacks on a system, and identifies security risks before they cause damage.
  • The final product of the testing is a report to the client on the findings and recommendations for corrective actions.

OSCP data security certificate

  • OSCP = Offensive Security Certified Professional 
  • Penetration testing training and certification provided by OffSec
  • Known in particular as a practical and technical certificate
  • Widely recognized in the industry, and established as one of the most recommended security certificates
  • A broad perspective on Linux, Active Directory, data networks, and various server applications, among others

OSWA data security certificate

  • OSWA = OffSec Web Assessor
  • Training and certification of web penetration testing provided by OffSec
  • One of the latest certificates offered by OffSec
  • Focuses exclusively on black-box-style penetration testing of web applications

The security certification indicates a high level of competence

Offensive Security, or OffSec, offers training of OSCP and OSWA penetration testing for data security professionals. They require a high level of competence, strong sitting muscles, and a refreshing amount of thought, both in going through the training material and in the final exam.

- It’s quite difficult to teach data security in a classroom alone, as it’s such a diverse mix of many things. For example, to pass the OSCP certification, you need to have sufficient understanding of Linux, networking, coding and web applications, among other things, Jesse says.

It’s great to be able to do something that I’ve been interested in for a long time, and that I’ve done in my spare time, for a living.

However, Jesse feels that the training courses provide good and comprehensive background materials and training labs to practice penetration testing on your own. The course materials include dozens of hours of reading and videos, and Jesse says that he has spent dozens of hours in the training lab.

- One training platform that I can highly recommend is Hack The Box. There you can legitimately put yourself in the hacker’s shoes and try to find vulnerabilities. The exercises are gamified, and the platform offers a suitable number of challenges and statistics. You can get started on the platform with a free account, and you can also get access to more advanced training packages at a very low cost, says Jesse.

A 24-hour heat 

Both the OSCP and OSWA penetration testing training courses end with a fairly intensive final exam, which requires finding at least 70% of the vulnerabilities hidden in servers within 24 hours. To prevent cheating, the exam also has some interesting practical arrangements, including being monitored at all times via the webcam.

The test task is a white hat exercise, i.e. you need to find hidden vulnerabilities in servers, and break into services by exploiting the vulnerabilities. The success of the test is proven by delivering a report within 48 hours of the start of the test. The report follows a professional penetration testing report, which states the findings, and explains step-by-step how to repeat the finding. 

- It really tests the nature of the participant as well, as you have exactly 24 hours, and then you have to write a report on the findings. Looking for vulnerabilities is a bit like putting on a balaclava and black leather gloves for a moment, and trying to break into a house by kicking in the front and back doors, and maybe even the doors of a few neighbors, Jesse says.

According to Jesse, a major challenge in the final exam is also time management. 24 hours sounds like a long time, but it goes fast if you get stuck in dead ends for too long.

- For example, you could have an egg timer that goes off every 15 minutes. If a particular line of investigation is not progressing soon, it may be worth shifting your attention elsewhere. You have to have several irons in the fire at once. While you are preparing the malware you will need later, automated scanners are constantly running in the background. Of course, there are deliberate rabbit holes on the server, which are a waste of time, Jesse says. 

A smiling man in a dark hoodie sitting in front of a large screen with code

Although data security certifications require hard work and intensive final exams, Jesse is happy to spend time completing them. As well as inevitably building up skills, the security certifications also help Jesse move in the career path that he wants. Currently, Jesse carries out internal auditing and penetration testing of internal products, among other things, and he is also involved in strengthening the DevSecOps culture.

- It’s great to be able to do something that I’ve been interested in for a long time, and that I’ve done in my spare time, for a living. But the idea is not to abandon the role of project manager altogether, but to draw on expertise from both sides. The aim is to combine client communication and data security in the job description, Jesse says.

Jesse's career path at Pinja

  • 2016: Started working at Pinja as a software developer (.NET, Android application development, Python), also as a tester and technical consultant in a client project
  • 2018: OSCP data security certification, gradually moving into project manager role
  • 2023: DevSecOps certification, and OSWA certification in progress, focus shifting to security specialist roles

Connect with us

Read more

What you need to know in the manufacturing industry about the DevSecOps operating model? Pick our four tips for your organization
What kind of Microsoft 365 data security do you get for five, ten or twenty euros a month?
Data security in the forest industry
The main objective of the Pinja Tech Meetups is to share knowledge
IT outsourcing services