In November 2016, I took CompTIA’s Security+ exam.
NB I did the SY0-401 syllabus; CompTIA replaced it with SY0-501 in October 2017, so some of the info in this blog post will now be a bit out of date.
In brief, I think that this is a worthwhile certification. It emphasises breadth rather than depth, so if you want to specialise in IT security then it’s really just a starting point. However, if you’re doing general IT work then it covers a lot of topics that it’s useful for you to know. Similarly, from an employer’s point of view, someone with this certification should have a decent overview of security concepts.
I used 2 books to prepare for this exam, which I’ve reviewed over at Goodreads:
- Security+ Certification Training Kit (Pro-Certification) (Microsoft Press)
- CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide (Darril Gibson)
The Microsoft book was written for the SY0-101 syllabus (in 2003). I mainly read it because I’d already bought it, but I don’t recommend it. It’s interesting that Microsoft actually published a study guide for a CompTIA exam, since they normally focus on their own exams. There weren’t any subsequent editions, so I think this was an experiment that they abandoned.
Darril Gibson’s book was very good, and I kept it for general reference after I’d taken the exam. For example, this was the first time I came across the concepts of RTO (Recovery Time Objective) and RPO (Recovery Point Objective), which I’ve subsequently used several times for disaster recovery and business continuity planning. I know that the author has released a new version for the SY0-501 syllabus, although I haven’t read it. I also purchased Gibson’s SCCP study guide when I came to take that exam, based on the quality of this book.
That said, I did notice some mistakes in the SY0-401 book. I submitted some errata which didn’t make it into the official list on the author’s website. The most significant example was that he got confused between a collision domain and a broadcast domain, so I’d advise further reading if you’re a bit shaky on network concepts.
Aside from actual mistakes (which were always incorrect), best practices in security will change over time. However, the exam syllabus only gets updated once every few years. This might mean that you need to supply the answer they want, rather than the correct answer.
When I did the Network+ exam (in April 2015), I wrote: “Mind you, be aware that the Network+ syllabus treats MAC filtering as a good idea whereas the CWNP treat it as legacy technology which you should avoid.” The same applies to the Security+: SY0-401 and SY0-501 both include MAC address filtering (for wireless access points) in the list of objectives.
Similarly, SY0-401 went live in May 2014, but the POODLE attack (exploiting a vulnerability in SSL 3.0) wasn’t made public until October 2014.
As well as the textbooks, I’ve also been taking an interest in security issues for several years, and I’ve written about a few of them here. For example, I had hands on experience with configuring firewalls and issuing certificates.
When I came to book the exam, I noticed a slight disparity in pricing. The Pearson Vue website charged £189 + VAT for a basic voucher, whereas the CompTIA store charged £195 + VAT for the exam. (Checking again today, both sites charge £207 + VAT for SY0-501.) However, my study guide included a 10% discount code, which was only valid in the CompTIA store. So, it made sense to jump through an extra hoop: buy the voucher at the CompTIA store, then redeem it on the Pearson Vue website. When I paid for the voucher, the website said that I’d receive it in 3-4 hours; I actually received it in just under an hour, which isn’t bad.
NB The CompTIA store also has some bundles which include a retake and training material. I didn’t opt for them, and the discount code was only valid for the basic voucher. However, if you’re not confident about passing the exam first time then this might be more cost effective. E.g. £349 for the basic bundle is a bit cheaper than paying for 2 exam vouchers at £207 each. Personally, I’d only recommend them if you think that the extra training material justifies the price.
As for the exam questions, I signed a Non-Disclosure Agreement, so I can’t go into detail. However, I’d advise you to download the exam objectives from the CompTIA site and ensure that you’re familiar with all the acronyms in there. Similarly, you should be able to recognise various port numbers.
I was a bit disappointed by the simulations in my exam. The actual content was fine, but the user interface was poorly designed: the screen was very crowded, and I often found that I had to exit from the whole thing then go back in, just to get to a different screen. Hopefully they improved that with the SY0-501 exam.
Anyway, I passed the exam on my first attempt, so I’m happy with that. In 2018, CompTIA introduced stackable certifications, which they applied retroactively. In this case, that meant that I got the “Secure Infrastructure Specialist” certification as a freebie (A+, Network+, and Security+).
I previously wrote about CompTIA’s CE program. After I passed this exam, I updated my “intent level” to be Security+ rather than Network+.
If you want to stay at Security+ level, I think the most cost-effective method is to do a CertMaster course every few years. The Security+ course costs $199, so it’s cheaper than retaking the exam. Alternately, if you do an eligible exam from another provider (e.g. the SSCP), you could pay $150 in CE fees to get that recognised. However, you have to pay for the other exam, so it’s only cheaper if you were going to do that anyway.
Personally, I renewed my Security+ certification by taking the PenTest+ exam (in April 2019) and the CySA+ exam (in March 2020). So, as long as I keep them up to date, I’ll automatically renew the Security+ too.