> [...] I do suspect that some of it is tied to the romance of
 > certifications such as CISSP whereby the exams that prove you are a
 > security professional talk all about physical security and network
 > security but really don't address software development in any meaningful
 > way. [...]

That's interesting.  While I have not taken the CISSP, I have studied
it a bit, and software & app development security is supposed to be one
of the 10 domains that the test covers.

Perhaps one of the issues here is that if you are in operations work
(network security, etc.), there are more aspects of the CISSP that are
relevant to your daily work.  In software development, there is usually
just the one - app development sec - that the developer thinks about,
unless the code has inherent security functionality, in which case
access control, architecture/models, and cryptography can be important

I agree that the software developer is a key part of the security
big picture.  In fact one of the reasons that firewalls have become so
popular today is because of software bugs in host OS's and services...

But software dev is unique in several ways that mean that it may be
hard for the CISSP to cover it in a balanced manner.  Teaching an IT
person about fire and lightning protection, or about routers or
firewalls, about ACL's, or even about risk management, does not have
a steep learning curve.  But learning the basics needed to really
understand even high-level concepts regarding software security &
high-assurance development practices is a much higher learning
curve endeavor, in my view, for the typical IT person.

A few questions, then -- should all developers be/become security
professionals?  Even the most innocent "pet project" application can
end up having worldwide security implications, given the way apps
can be rapidly popularized these days.  What qualifications should a
developer meet, to be a "security professional"?  Should there be
something like the Common Criteria EAL's, but somewhat less formal,
to encourage broader use in labeling projects and code, esp. in the
open-source world?

- Greg


Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to