Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-21 Thread McGovern, James F (HTSC, IT)
PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Arian J. Evans Sent: Wednesday, May 16, 2007 4:05 PM To: SC-L@securecoding.org Subject: Re: [SC-L] Darkreading: Secure Coding Certification I don't understand this thread. These are different sets of issues. Often, they are different sets of people

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-16 Thread McGovern, James F (HTSC, IT)
@securecoding.org' Subject: RE: [SC-L] Darkreading: Secure Coding Certification Hi all, I like this idea. There is plenty of non-code material to master in our field. I think a bunch of it is covered in detail in Software Security...but I am biased. I would like to see coverage of common attack

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-16 Thread Gary McGraw
: McGovern, James F (HTSC, IT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 03:08 PM Eastern Standard Time To: SC-L@securecoding.org Subject:[SC-L] Darkreading: Secure Coding Certification Maybe the test shouldn't focus on code at all? If we can agree that many flaws are found

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-15 Thread Gary McGraw
- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Peeters Sent: Saturday, May 12, 2007 6:11 AM To: SC-L@securecoding.org Subject: Re: [SC-L] Darkreading: Secure Coding Certification I agree that multiple choice alone is inadequate to test the true breadth and depth of someone's

Re: [SC-L] Darkreading: Secure Coding Certification (starting point)

2007-05-15 Thread Arian J. Evans
Of Johan Peeters Sent: Saturday, May 12, 2007 6:11 AM To: SC-L@securecoding.org Subject: Re: [SC-L] Darkreading: Secure Coding Certification I agree that multiple choice alone is inadequate to test the true breadth and depth of someone's security knowledge. Having contributed a few questions

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-14 Thread Florian Weimer
* Johan Peeters: I agree that multiple choice alone is inadequate to test the true breadth and depth of someone's security knowledge. Having contributed a few questions to the SANS pool, I take issue with Gary's article when it implies that you can pass the GSSP test while clueless. But I

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-14 Thread Steven M. Christey
On Mon, 14 May 2007, McGovern, James F (HTSC, IT) wrote: 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT professionals such as those who work in large enterprises have no motivation to pursue. Only vendors have jumped on the bandwagon? The software developers are the

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-14 Thread Steven M. Christey
On Sat, 12 May 2007, ljknews wrote: but based on biases I see on this list, I tend to believe that those who make such a certification scheme would bias it toward: Programming done in C and derivative languages (C++, Java, etc.) Programming relying on TCP/IP neither of which

[SC-L] Darkreading: Secure Coding Certification

2007-05-12 Thread Gary McGraw
Hi all, As readers of the list know, SANS recently announced a certification scheme for secure programming. Many vendors and consultants jumped on the bandwagon. I'm not so sure the bandwagon is going anywhere. I explain why in my latest darkreading column: