GWAPT and OSWE are among the top certifications in security and are mainly built for penetration testers.
Let’s look at the differences between the two in terms of their focus areas, their exam structures, prerequisites to be eligible for the exams, fees, and delivery methods.
Web Security Certification Focus
Both certifications are related to web security but there are differences in their learning approach and exam methods.
GWAPT Focus Areas
GIAC Web Application Penetration Tester certification (GWAPT) is focused on web application security and specifically on the following areas:
- Web application authentication attacks
- Reconnaissance and Mapping
- Cross-Site Request Forgery, Cross Site Scripting, and Client Injection Attack
- Web Application Configuration Testing
- Web Application Session Management
- Web Application SQL Injection Attacks
- Web Application Testing Tools
OSWE Focus Areas
The Offensive Security Web Expert (OSWE) certification is also focused on web application security and specifically on exploiting front-facing web applications. This certificate requires you to have the skills to be able to perform security testing and exploit a web application during a white-box penetration testing activity.
Having the OSWE certifies that you can:
- Perform web app source code auditing
- Write scripts and exploit web application vulnerabilities
- Implement complex chained attacks using multiple vulnerabilities
- Use creative and lateral thinking to determine innovative ways of exploiting web vulnerabilities
- assist web development teams in creating and maintaining web apps that are secure by design
You can read the course syllabus for more information.
GWAPT Certificate Expiration
Security certifications can be valid forever, but many have to be renewed every few years.
GIAC certifications have to be renewed every 4 years. The renewal fee for the GIAC course is $430.
OSWE Certificate Expiration
The OSWE certificate does not expire.
There are no subscriptions, renewals, membership fees, or other requirements to requalify with Offensive Security.
GIAC does not have any prerequisites but completing the Advanced Web Attacks and Exploitation (AWAE) course and lab environment is required in order to sit for the OSWE exam.
GWAPT Exam Overview
- Open book/notes
- Time limit of 3 hours
- 82–115 questions
- Minimum Passing Score of 71%
Find more details here about GIAC’s testing instructions.
OSWE Exam Overview
The OSWE certification exam simulates a live network in a private VPN, which contains a small number of vulnerable systems.
You have 47 hours and 45 minutes to complete the exam.
Once the exam is finished, you will have another 24 hours to upload your report and wait for its review to learn if you passed or not.
Exam Delivery Methods
GWAPT Exam Delivery Methods
- Remote proctoring through ProctorU: This means that you can take your exam from anywhere in the world as long as you have a webcam and a reliable Internet connection.
- Onsite proctoring through Pearson VUE: This means that the GIAC-approved Training Center or Proctor Pearson VUE will be administering your exam.
OSWE Exam Delivery Methods
OSWE exam is proctored like the GWAPT exam. You are given access through the student portal where you must allow access to your system so that you can be monitored during the time of your examination.
Offensive Security has a comprehensive guide on this.
A GIAC preparation course and exam will cost you around $7000. Offensive Security certifications, on the other hand, are more in the $1.500 to $2000 range, which is more affordable.
You can also choose to only take a GIAC exam which is approximately $2000.
The price for the OSWE exam is bundled with lab access through the purchase of the WEB-300 course and is priced at $1649 for 90 days of lab access with one exam attempt.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.