Traditionally InfoSec folks defined themselves as being knowledgable in 
firewalls, policies, etc. Lately, many enterprises are starting to recognize 
the importance of security within the software development lifecycle where even 
some have acknowledged that software is a common problem space for those things 
traditionally thought of as infrastructure. 

The harder part is not in terms of recognizing the trend but in terms of folks 
from the old world acknowledging folks from the new world (software 
development) also as security professionals. I haven't seen many folks make 
this transition. I do suspect that some of it is tied to the romance of 
certifications such as CISSP whereby the exams that prove you are a security 
professional talk all about physical security and network security but really 
don't address software development in any meaningful way.

Would be intriguing for folks here that blog to discuss ways for folks to 
transition / acknowledge respect not as just software developers with a 
specialization in security but in being true security professionals and treat 
them like peers all working on one common goal.

-----Original Message-----
From: Shea, Brian A [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Subject: RE: [SC-L] What defines an InfoSec Professional?

The right answer is both IMO.  You need the thinkers, integrators, and
operators to do it right.  The term Security Professional at its basic
level simply denotes someone who works to make things secure.

You can't be secure with only application security any more than you can
be secure with only firewalls or NIDs.  The entire ecosystem and
lifecycle must be risk managed and that is accomplished by security
professionals.  Each professional may have a specialty due to the
breadth of topics covered by Security (let's not forget our Physical
Security either), but all would be expected to act as professionals.
Professionals in this definition being people who are certified and
expected to operate within specified standards of quality and behavior
much like CISSP, CPA, MD, etc.

This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.

Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to