> certifications such as CISSP whereby the exams that
> prove you are a security professional talk all about
> physical security and network security but really don't
> address software development in any meaningful way.

Perhaps what is needed is a separate certification.  It would be nice to know 
that someone knows how to write software in a secure manner, but it's not 
necessary that they know all about physical security, firewall rules, etc.  It 
could even be done at multiple levels, like Sun's Java certs, to certify 
knowledge of secure design principles vs. secure *implementation* principles, 
maybe even going onward to principles of building security into the process.  
Something like, say, Certified Secure Programmer, Coder, and Software Engineer, 

 > Would be intriguing for folks here that blog to discuss ways

...in their blogs?  <rant size="micro">That's not discussion, that's 
pontificating.  It also detracts from discussion, by fracturing it.</rant>  
Discussion is what we're having *here*, so whether someone blogs is irrelevant.


Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to