I'm not a CISSP person just because my clients haven't required it
yet.  However,
they are concerned with application security and restricting access to those
who are not authorized (in addition to XSS, SQL injection, and the usual
list of suspects).  I call myself a 'secure developer' only because I *think
* I know how to code countermeasures and I am aware of the types of attacks
an application can go through.

I see the field of programming naturally adopting security techniques in
their code the same way quality techniques crept into our lives.   Remember
when a person could code a few web screens and call himself a web developer
without ever one considering heap management, efficient SQL, and frameworks
that helped managed concurrent users.  I see security and all its coding
techniques following in the same path.  Eventually, it will not only be
required but assumed by the clients.  Those who can't adapt won't be hired.

I have actually stated working security related questions into our interview
process.  If I hire a web developer and he/she has never heard of social
engineering, I move on to the next candidate.

Just my thoughts.

Jason Grembi

Lead Web Developer
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.

Reply via email to