CHECK Team Leader (Web App) Overview

Sun 20th Nov 11

As I happily announced the other day I recently passed my CHECK Application Team leader exam. As I did with with my CHECK Team Member exam I've decided to write up my experience. I did the exam with CREST who are very strict on their NDAs and not releasing information which would give others inside knowledge on the tests. With this in mind I'll be covering general points about the test and the day in general but nothing specific. Please don't contact me to ask for specifics, you won't get anything.

I decided to write this up in two parts for two different audiences, make your choice:

Competitor in the work market

It was the hardest exam ever, I barely got out with my life. The doctors say that I might regain some movement in my left leg and they will try to reattach my right arm but I'll never throw the boomerang again.

I also found out that polyester bonds to skin when superheated so my "All hail Kevin Johnson" vest, which I was wearing for luck, is now part of my skin. It has been recommended though that because of the way the photo has melted I stay away from small children, old ladies and goats.

Don't do the exam, you will regret it. In fact, to save your sanity and prevent you from ever being sent on this mind melter I recommend giving up IT now, I've heard that zoo keeping is a well paid and very rewarding career.

Everyone else

My main worry about the exam was whether it was going to be based on real world scenarios or theoretical ones. From reading the syllabus it could have been either so I decided to spend my revision time looking at the more obscure threats and attacks as I figured I've done enough real world testing to cover that side of things. As it turned out it is based on the real world so learning to deserialize java objects so they can be modified in transit turned out to be of little use, something I'm really glad about. Obviously I can't say exactly what was covered but being good at your day job, understanding the basics such as SQLi and XSS should cover you for the vast majority of the labs.

The exam is broken down into three parts, a set of multi-choice questions, three long answer questions out of a choice of four and a practical lab. The multi-choice and long answer part are done as one in a way that I've never seen before. You get 2.5 hours for the pair but as the multi-choice are closed book but the long answer is open book you have to declare when you've finished the multi-choice, hand over the paper and then start the long answer. This means that you get to choose how long you spend on both sections, you can spend 2 hours on the multi-choice bit and just half an hour on the long answer or the other way around.

The multi-choice section is fairly standard, just know your stuff and chose the right option.

In the long answer part the questions were well written and showed the marks available for each question. I like this as when it says "Give 6 reasons for X" and there are 6 marks you know each answer is probably a short one, similarly "Discuss X in relation to Y" - 10 marks, you know you've probably got to get 10 distinct points down.

Something I've not seen before is that they have the ability to knock off marks for bad English and using inappropriate language. I don't mean swearing in your answer but where a question asks you to discuss something in terms management would understand, if you give the kind of answer you'd give to your hacker mates in the pub then you will lose marks. This is carried on into the lab section where a lot of the questions ask you to give answers of how you did something, or how it would affect business, in terms management would understand. As CTLs are going to be running projects and generally be the interface between technical and the client I like this approach as it means that people who pass this test have shown that they are more than just techies who can pop shells.

I was told that it isn't confidential that the labs are based on php and ASP/ASP.NET and MySQL and MSSQL. There was mention of the labs being rebuilt sometime in the near future and as they say that they are always trying to make things harder I would predict Oracle being added to the list of databases at some point. If it were then it would need a language putting with it, I'd predict Java. This is purely guesswork so don't blame me if you turn up being an expert in Java and Oracle and get Cold Fusion and Access.

The labs done were done in two parts, a fairly regimented first section tells you what to do at each point, find XSS, demo it, prove SQLi etc. The second part just gives you objectives and asks for tokens to prove you achieved them, for example, bypass the login system. The first part shows you have all the individual skills that are required on a test, the second shows that you know how to put them together and perform an actual test.

This is the only exam I can remember doing where I would have liked more time. I answered as much as I could and got to the end of each section but would have liked to go back and elaborate on various areas or pick up the odd mark that I know I missed. Because of this I've got to stress, manage your time, check how many marks a section is worth and spend time appropriately. In the lab there is the option on a couple of the questions to take a hint or an answer so you can move through to the next part, obviously this comes with a penalty in terms of marks for the section if you take it. I didn't have to do this but consider it if you have to, you may find later parts more to your liking.

Both the long answer and lab parts are open book, this means full Internet access as well as any books you bring with you. This is good as it means you can look things up but it is a little bit tricky as rather than give you access on your own machine you have to use use a dedicated Internet access machine and transfer any files you download to your machine via a memory stick. It works but just feels a little unnatural having to get up and walk across the room to Google something.

The exam took place in the CREST offices in Slough, as I'm from Sheffield I went down the night before and spent the night in the Holiday Inn. That turned out to be a very good choice as it is literally a minute walk around the corner to the exam. Being able to get up at a sensible hour, have breakfast then walk casually around the corner beats the stress of driving or having to rely on trains any day. The invigilator for the day, Stuart, was a nice guy. He did a good job of putting us at ease, explained everything well and generally looked after us. There is a huge Tesco Express a few minutes walk away where we went for lunch but there are also various options in the city centre as well.

Something worth mentioning is that CREST expect you to leave your hard-drive and any other media behind to be wiped after the exam. I bought a second disk and cloned my main one then used the clone for the exam so I could leave it behind. Make sure you have the tools you need to be able to remove your disk and that you know how to do it. I'd hate to be in there at 5PM after spending all day doing the exam and then have to work out how to open my case having never done it before.

All-in-all the day went a lot smoother than I thought it would and, this may sound big headed, was easier than I expected. I say this because what they were testing was what I've been doing as a job for the last umpteen years. There were no trick questions, nothing designed to deliberately catch you out and as long as you know how to do a good web app assessment and are able to report on it at both technical and managerial level then you should be fine.