The CompTIA Advanced Security Practitioner (CASP) certification is intended for professionals with at least ten years of experience in security administration. Five of those years must be hands-on technical experience. The CASP does not require that any previous exams have been passed, but is a higher-level exam than the CompTIA Security+.
Applicants are given 150 minutes to complete the 80-question, pass/fail exam. The test is divided between four domains. Forty percent of the questions will relate to the enterprise security domain. Risk management, policy and procedure, and legal questions make up 24 percent of the exam, integration of computing, communications and business disciplines 22 percent, and research and analysis 14 percent.
The exam measures an applicant's ability to engineer complex enterprise security solutions. It is vendor-neutral, yet may require knowledge of vendor-specific tools. Its difficulty level is similar to that of the Certified Information Systems Security Professional (CISSP) exam. This is the first CompTIA exam that includes performance-based questions. Some questions will place candidates in a software environment, and require them to know the correct tool or task performance to use in a given scenario. The CASP certification recommends ten years of relevant work experience, while the CISSP certification requires just five years.
The enterprise security domain requires that a candidate know the various types of virtualization and when they are used, application vulnerabilities such as buffer and integer overflows and fuzzing, and the security concerns of enterprise storage. A good understanding of the TCP/IP suite and all of its components, including applications such as DNS, is necessary.
A candidate must be able to distinguish the appropriate cryptographic tools and techniques for use in a given situation. Advanced cryptographic techniques will be covered, including penetration testing and tools such as sniffers, port scanners, password crackers and attacking tools and frameworks. The candidate must be familiar with tools such as Wireshark, Metasploit and John the Ripper, and when to use each.
The risk management, policy and procedure, and legal domain requires that an applicant understand the ways that business decisions can affect security risks. Candidates must also be able to implement risk mitigation strategies and security procedures according to organizational policy. A variety of risk management approaches and policies are covered. Incident response preparation is included, and the candidate must understand chain of custody and be familiar with forensics tools.
The research and analysis domain covers security trends, and ways to analyze an enterprise for security. Network traffic analysis is covered here, as well as the importance of balancing security with usability.
The final domain covers the integration of computing, communications and business disciplines. Candidates must understand how to use various advanced authentication techniques and be able to implement security across company divisions. The domain addresses the impact of changes such as mergers, technology life cycles and emerging threats.
This domain covers the security concerns involved with communications. Converged communications technologies such as VoIP, NAC and consumer devices are included here. Candidates need to understand the security implications of the ways in which communications technologies have unified.
CASP is the first mastery-level certification issued by CompTIA, who have to date been known for entry to mid-level certifications. It was developed in response to a government and industry demand for a more stringent certification than the Security+. The target candidate is a professional who designs and implements security in a large organization with multiple locations. CompTIA does not regard CASP as a direct competitor to the CISSP, as the CISSP is targeted towards senior managers and policy makers, while the CASP is directed at enterprise Technical Security Leads, professionals who are enthusiastic about hands-on experience with the technology.