What Garigue was trying to say is that deploying a firewall on a network is not security's mandate; it is _part of_ running a network. Basic hygiene. Brushing your teeth is part of having teeth. Deploying anti-virus on a windows desktop is not security; it is _part of_ operating a desktop. This is an important distinction, because it captures why so much security spend is targeted at the wrong issues. Security evolved out of operations, and today we all still live with this historical baggage.
If you want to operate a network or a desktop in an enterprise, you have certain security responsibilities defined by information security policy...perhaps even backed up mechanisms, good for you, but these have little to do with information security, much like going to a dentist that just told you to brush your teeth and gave you a tooth brush would have extremely limited value....yet this is what we get from information security groups across this great cyberland of ours. I would point you to the fallacy of keeping up with the Jones' explored in detail at the Justice League http://www.cigital.com/justiceleague/2007/02/22/keeping-up-with-the-jones-se curity-initiatives/ Security groups that help businesses make risk tradeoffs based on functionality, time, and cost add value (you know just like software development does). "Amateurs study cryptography; professionals study economics." -- Allan Schiffman -gp On 3/8/07 1:07 PM, "Shea, Brian A" <[EMAIL PROTECTED]> wrote: > The right answer is both IMO. You need the thinkers, integrators, and > operators to do it right. The term Security Professional at its basic > level simply denotes someone who works to make things secure. > > You can't be secure with only application security any more than you can > be secure with only firewalls or NIDs. The entire ecosystem and > lifecycle must be risk managed and that is accomplished by security > professionals. Each professional may have a specialty due to the > breadth of topics covered by Security (let's not forget our Physical > Security either), but all would be expected to act as professionals. > Professionals in this definition being people who are certified and > expected to operate within specified standards of quality and behavior > much like CISSP, CPA, MD, etc. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson > Sent: Thursday, March 08, 2007 9:13 AM > To: [EMAIL PROTECTED] > Cc: SC-L@securecoding.org > Subject: Re: [SC-L] What defines an InfoSec Professional? > > actually just the former. Robert Garigue characterized firewalls, nids, > et al as good network hygiene. The equivalent of a dentist telling you > to brush your teeth. An infosec pro needs much more depth than that. The > model is charlemagne > > http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html > > -gp > -----Original Message----- > From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> > Date: Thursday, Mar 8, 2007 10:27 am > Subject: [SC-L] What defines an InfoSec Professional? > > If you have two individuals, one of which has been practicing secure > coding= > practices and encouraging others to do so for years while another > individu= al was involved with firewalls, intrusion detection, > information security p= olicies and so on, are they both information > security professionals or just= > the later? > > > ************************************************************************ > * This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution > is strictly prohibited. If you are not the intended recipient, please > notify the sender immediately by return e-mail, delete this > communication and destroy all copies. > ************************************************************************ > * > > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
