On Thu, 8 Mar 2007, Greg Beeley wrote: > Perhaps one of the issues here is that if you are in operations work > (network security, etc.), there are more aspects of the CISSP that are > relevant to your daily work. In software development, there is usually > just the one - app development sec - that the developer thinks about, > unless the code has inherent security functionality, in which case > access control, architecture/models, and cryptography can be important > too.
Secure development certification will hopefully come to the marketplace in droves in the next year or two. One organization is not-so-privately-but-technically-not-yet-publicly preparing to roll something out in the coming months, and hopefully that will inspire others. Insert obligatory cert disclaimer here, but geez it's badly needed to raise the bar even a hair. > developer meet, to be a "security professional"? Should there be > something like the Common Criteria EAL's, but somewhat less formal, > to encourage broader use in labeling projects and code, esp. in the > open-source world? Dave Litchfield and I have *very* casually investigated forming a CC-like concept of Vulnerability Assessment Assurance Levels (VAAL) which is intended to reflect the depth of a vuln researcher's analysis as some crude but semi-repeatable measure of assurance. i've also done some thinking about vulnerability complexity, and I assume I've mentioned my vulnerability theory work on this list since I never shut up about it. Such concepts could be turned around to reflect the depth of understanding that a developer has - e.g. they know enough to try to strip out <SCRIPT> tags but they don't know about javascript: in IMG tags. I have a couple pages of working notes on VAAL for offline dissemination for interested parties who promise to give me feedback. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
