It really depends on what you are hiring for.
If we are talking App/Software security - like Gary has said many times - I
would rather hire a software guy and train them about security. Doing it the
other way around is almost impossible. How can you really do software security
if you are netsec expert with no experience writing real software? This is
especially true if you are taking a more strategic approach to software
security.
And the opposite is true - hiring a coder to lock down a network probably isn't
the best hiring choice! =)
What really bothers me is that the CSSLP looks appsec operations focused - not
developer SDLC focused (or so I've heard). The SANS cert for software security
seems to drill a lot more into actual activities a developer should take in
order write secure code and seems somewhat reasonable to me. I think a secure
software architecture cert would round out current offerings well.
----- Original Message -----
From: Joe Teff
To: SC-L@securecoding.org
Sent: Friday, March 20, 2009 8:38 PM
Subject: Re: [SC-L] Announcing LAMN: Legion AgainstMeaningless certificatioNs
I notice certs like CISSP when hiring. It says the person has a basic
understanding of all IS security areas. Nothing more. If someone can't pass the
CISSP then I have to wonder why.
-----Original Message-----
From: Paco Hope <p...@cigital.com>
To: "SC-L@securecoding.org" <SC-L@securecoding.org>
Date: Thu, 19 Mar 2009 11:36:45 -0400
Subject: Re: [SC-L] Announcing LAMN: Legion Against Meaningless
certificatioNs
On 3/18/09 5:29 PM, "Jeremy Epstein" <jeremy.j.epst...@gmail.com> wrote:
> If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it
...then I'd say you have an overly simplistic view of the world.
Anyone who believes that a credential automatically conveys some magical
knowledge that you didn't have before is just as overly-simplistic as
someone who disparages all credentials equally. It just isn't a black and
white world.
Paco
--
Paco Hope, CISSP, CSSLP
Technical Manager, Cigital, Inc
http://www.cigital.com/ ? +1.703.585.7868
Software Confidence. Achieved.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
------------------------------------------------------------------------------
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
