Paco, Does certification belong in the realm of Secure Coding?
What is it we are really trying to achieve with a certification? -Rob On Mon, Mar 23, 2009 at 4:22 PM, Paco Hope <p...@cigital.com> wrote: > On 3/21/09 6:43 PM, "Jim Manico" <j...@manico.net> wrote: > >> What really bothers me is that the CSSLP looks appsec operations focused - >> not >> developer SDLC focused (or so I've heard). The SANS cert for software >> security seems to drill a lot more into actual activities a developer should >> take in order write secure code and seems somewhat reasonable to me. I think >> a >> secure software architecture cert would round out current offerings well. > > As a SME for that exam (i.e., one of the guys who makes exam questions and > such), you're exactly right. It definitely is skewed towards a holistic, > operations-type feel. However, you've misidentified its target. > > The target of the CSSLP is anyone involved in the software (though perhaps > we should say "system") development lifecycle. It targets not just > developers, but also testers, release managers, test managers, and others > who are important to the big picture of getting software out the door. It's > not a certified secure developer (i.e., code-slinger). The person who holds > the cert should be acquainted with security in more phases of the lifecycle > than just one. It does not, however, certify them as a security ninja in any > phase. > > There was another comment about the CISSP that I found poignant: "It was too > damn easy to pass and too damn hard to keep up with the CPE point entry..." > > Although point entry is tedious, it keeps the cert honest. You can't spend 3 > years converting oxygen into CO2 and remain certified. You actually have to > do a few things. A CISSP person who has renewed once or twice is quite > different from someone who has passed the exam after a cram session. Someone > who certified once and lets their certification lapse is indistinguishable > from the marginally-qualified candidate who crammed, passed, but ultimately > couldn't maintain their cert. > > To reject certifications altogether is (to me) to endorse a continuation of > the wild, wild west attitude towards security. Hire the best gunslinger you > can get, and figure out who that is by word of mouth, rumor, and wanted > posters at the post office. Like it or not, the citizens of this wild west > are going to demand governance by a recognizable authority. Sooner or later > these badge-wearing officials will come to town, and the scofflaws will be > marginalized. The era of Wild Bill Hickock and Billy the Kid are over. It's > only a matter of time before, for better or worse, the law moves in. We need > to be on the right side, shaping those laws, not avoiding them. > > (Apologies to our international audience for an intensely US-centric > metaphor) > > Paco > -- > Paco Hope, CISSP, CSSLP > Technical Manager, Cigital, Inc > http://www.cigital.com/ ? +1.703.585.7868 > Software Confidence. Achieved. > > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
