On 3/21/09 6:43 PM, "Jim Manico" <j...@manico.net> wrote: > What really bothers me is that the CSSLP looks appsec operations focused - not > developer SDLC focused (or so I've heard). The SANS cert for software > security seems to drill a lot more into actual activities a developer should > take in order write secure code and seems somewhat reasonable to me. I think a > secure software architecture cert would round out current offerings well.
As a SME for that exam (i.e., one of the guys who makes exam questions and such), you're exactly right. It definitely is skewed towards a holistic, operations-type feel. However, you've misidentified its target. The target of the CSSLP is anyone involved in the software (though perhaps we should say "system") development lifecycle. It targets not just developers, but also testers, release managers, test managers, and others who are important to the big picture of getting software out the door. It's not a certified secure developer (i.e., code-slinger). The person who holds the cert should be acquainted with security in more phases of the lifecycle than just one. It does not, however, certify them as a security ninja in any phase. There was another comment about the CISSP that I found poignant: "It was too damn easy to pass and too damn hard to keep up with the CPE point entry..." Although point entry is tedious, it keeps the cert honest. You can't spend 3 years converting oxygen into CO2 and remain certified. You actually have to do a few things. A CISSP person who has renewed once or twice is quite different from someone who has passed the exam after a cram session. Someone who certified once and lets their certification lapse is indistinguishable from the marginally-qualified candidate who crammed, passed, but ultimately couldn't maintain their cert. To reject certifications altogether is (to me) to endorse a continuation of the wild, wild west attitude towards security. Hire the best gunslinger you can get, and figure out who that is by word of mouth, rumor, and wanted posters at the post office. Like it or not, the citizens of this wild west are going to demand governance by a recognizable authority. Sooner or later these badge-wearing officials will come to town, and the scofflaws will be marginalized. The era of Wild Bill Hickock and Billy the Kid are over. It's only a matter of time before, for better or worse, the law moves in. We need to be on the right side, shaping those laws, not avoiding them. (Apologies to our international audience for an intensely US-centric metaphor) Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
