[SC-L] Special Issue of IJSSE: Software Safety Dependability - the Art of Engineering Trustworthy Software

For those who might be interested. There are still a couple weeks until the submission deadline Karen Mercedes Goertzel, CISSP Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com --- Special Issue of IJSSE Theme: Software Safety Dependability - the Art of Engineering

Re: [SC-L] Blog skiiers versus snowboarders CISSPs vs programmers

The software security problem is a huge problem. There are not enough CISSPs to even think about solving this problem. CISSPs probably should have a tactical role helping categorize, classify, and facilitate getting things done. Scanner jockeys and network security folk will lead the operational

Re: [SC-L] [Esapi-dev] Recommending ESAPI?

My view is that the key to make this work is to create the ESTAPI, which is the Enterprise Security *Testing* API This way we would have (for every language): - *ESAPI Interfaces* - which describe the functionality that each security control should have - *ESTAPI* - Unit Tests that

Re: [SC-L] [Esapi-user] [Esapi-dev] Recommending ESAPI?

we start to create standards for how Security Controls should behave [and basically the rest of the post] I submit ASVS for your consideration. If one is further concerned about building blocks in the environment, check out Common Criteria and FIPS 140-2. Also, There have also been discussions

Re: [SC-L] Blog skiiers versus snowboarders CISSPs vs programmers

I'm not even sure why we're talking about CISSPs in this regard. Having a CISSP proves nothing; it's merely a blind HR/recruiter checklist item. I've personally met dozens of CISSPs who can't answer the most basic of security questions. The short-term comes down to what Gary talked about

Re: [SC-L] InformIT: You need an SSG

Thanks for that excellent and detailed response, Steve. A few follow-up questions: 1) What sort of charter and executive support was/is necessary to establish a group like SSG, and to continue building on it? In particular, I wonder about how the mandate was established, and then supported over

Re: [SC-L] [Esapi-user] [Esapi-dev] Recommending ESAPI?

I don't think I follow, Mike... how do you think Common Criteria or FIPS 140-2 have anything to do with this topic? Accreditation programs are useful, but only to the degree that they're underpinned by quality standards, quality technical testing, and competent development programs concerned with

Re: [SC-L] Blog skiiers versus snowboarders CISSPs vs programmers

I am the designated certification hog (see sigblok) for my group, which does source code security analysis and pen testing. So I'm fairly familiar with what goes into getting and keeping these certs. And I don't think that a CISSP is nearly specific enough for software source code security Now,