Last week I was invited by CompTIA to take the new SecurityX beta - so why not! I already have the CASP+, so this is a great opportunity to refresh knowledge and learn some new things - all for $50! The new eXpert series from ComTIA will eventually feature three exams, DataX, SecurityX and CloudNetX. According to Comptia:
CompTIA Advanced Security Practitioner (CASP+) is the expert version of CompTIA Security+ and will be re-branded to SecurityX , with the next exam version. This name change will not affect the status of current CASP+ certification holders and those with an active CASP+ certification will receive a SecurityX certification. The certification will continue to:
- Validate job tasks performed by a security professional with 10 years of IT experience and 5 years of security experience
- Be designed around the tasks performed by senior security engineer and security architect roles
- Be a natural progression from the job roles aligned to Security+
I’ll be updating this blog as I make better notes on the changes between the old a new syllabi but for now let’s dive in with some initial impressions.
So what’s changed?
As usual there’s some general updates to ensure the certification aligns with the newest approaches and tools, but there’s also some larger shifts in the core areas of focus. My overall impression is that the SecurityX (CAS-005) specification places a stronger emphasis on proactive and advanced security measures which are more suitable for todays hyper connected environments, whilst adding some key new areas, such as AI security.
For example, CompTIA have included objectives covering the adoption of zero trust architecture, cloud access security brokers (CASBs), and the integration of AI in security operations. An increased emphasis on automated security processes, including Security Orchestration, Automation, and Response (SOAR), and advanced cryptographic concepts like homomorphic encryption and post-quantum cryptography, also suggest a shift towards more sophisticated and automated security frameworks.
In some places, familiar topics have been somewhat deepened and modernised - the inclusion of topics like continuous integration/continuous deployment (CI/CD) and advanced application security testing reflects the growing importance of secure software development practices, and an expanded approach to risk management is evident in sections covering supply chain risk management, formal methods for software security, and the introduction of Software Bill of Materials (SBoM).
Here’s a quick summary of what’s changed - if you’re planning to take the beta, hopefully this helps you to focus in on what you may need to put some extra study into!
Quick summary of Changes between CASP+ (CAS-004) and SecurityX (CAS-005)
Firstly, the certification Domains have been re-named and modified:
CASP+ (CAS-004) Domains
- Security Architecture
- Security Operations
- Security Engineering
- Security Governance, Risk, and Compliance
SecurityX (CAS-005) Domains
- Governance, Risk and Compliance
- Security Architecture
- Security Engineering
- Security Operations
As you might expect there’s some new topics in each section - for now, here’s a quick rundown of items which jumped out at me:
New Topics in and areas of focus in SecurityX (CAS-005)
- Governance, Risk and Compliance
- Supply Chain Risk Management
- Updated GRC frameworks (DMA, COPPA etc.)
- Focus on AI Security challenges
- Security Architecture
- Zero Trust Architecture
- Cloud Access Security Broker (CASB)
- Integration of AI in Security
- Software-Defined Networking (SDN)
- Secure Access Service Edge (SASE)
- Formal Methods for Software Security
- Software Bill of Materials (SBoM)
- Greater focus on APIs
- Security Engineering
- Advanced Cryptographic Concepts
- Specialised systems (IoT / OT)
- Authenticated Encryption with Associated Data (AEAD)
- TOML (Toms Obvious, Minimal Language)
- Blockchain and Immutable Databases
- Use of Post-Quantum Cryptography (PQC)
- Virtualised technologies (eg vTPM)
- Security Operations
- Greater focus on automation
- Rita and Sigma (Rule based languages)
I will update this post with more analysis as I start my studying!