I'm not a CISSP person just because my clients haven't required it yet. However, they are concerned with application security and restricting access to those who are not authorized (in addition to XSS, SQL injection, and the usual list of suspects). I call myself a 'secure developer' only because I *think * I know how to code countermeasures and I am aware of the types of attacks an application can go through.
I see the field of programming naturally adopting security techniques in their code the same way quality techniques crept into our lives. Remember when a person could code a few web screens and call himself a web developer without ever one considering heap management, efficient SQL, and frameworks that helped managed concurrent users. I see security and all its coding techniques following in the same path. Eventually, it will not only be required but assumed by the clients. Those who can't adapt won't be hired. I have actually stated working security related questions into our interview process. If I hire a web developer and he/she has never heard of social engineering, I move on to the next candidate. Just my thoughts. Jason Grembi Lead Web Developer
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________