I think what he means with certifications is that they'll get you the jobs you don't really want.
For example, CEH (Certified Ethical Hacker) is a certification you'll see in a lot of job postings. The thing is, if you know this field, you know that this certification is worthless; it's just an expensive piece of paper. So, if you get a job that requires you to be CEH, it's telling a lot about the company itself, you don't want to work there.
Same goes for the other certs, CISSP is OK but it doesn't really prove you can actually do useful work, and the jobs that require them are not the most interesting ones. The other popular one is OSCP, which I think is quite OK. It shows a minimal level of competence.
But I tend to agree with the feeling that certification in this field do more harm than good. What we need is more professionalism and good engineering.
EDIT: To clarify my point on OSCP, it is good in the sense that they force you to do hands on work. But, it is very narrow and most of what you learn are "tricks". An OSCP holder is proven to know what a pentest it, how to go about with it, and has a lot of sometimes useful tricks under his belt. It will not tell you whether someone really knows how applications and systems works.
OP is right. OSCP is an entry level certificate in pentesting. That doesn't mean it's easy to get, and the people that have it will certainly have put in the time.
Security skills are just not something you tend to pick up in 4 hours flat.
source: have both OSCP and OSCE, and I work in the industry
For example, CEH (Certified Ethical Hacker) is a certification you'll see in a lot of job postings. The thing is, if you know this field, you know that this certification is worthless; it's just an expensive piece of paper. So, if you get a job that requires you to be CEH, it's telling a lot about the company itself, you don't want to work there.
Same goes for the other certs, CISSP is OK but it doesn't really prove you can actually do useful work, and the jobs that require them are not the most interesting ones. The other popular one is OSCP, which I think is quite OK. It shows a minimal level of competence.
But I tend to agree with the feeling that certification in this field do more harm than good. What we need is more professionalism and good engineering.
EDIT: To clarify my point on OSCP, it is good in the sense that they force you to do hands on work. But, it is very narrow and most of what you learn are "tricks". An OSCP holder is proven to know what a pentest it, how to go about with it, and has a lot of sometimes useful tricks under his belt. It will not tell you whether someone really knows how applications and systems works.