Not sure that would work either though. Many secdev people are introverts. In their shell, they won't debate the validity of a position, including a wrong answer. Zone that into a response in the exam. It's one thing to say "there is no correct answer", but the way the questions are set at ISC2, its "what is the BEST answer out of this list". By the end of the 6 hours your eyes are glossed over as you actually had to think. But its still better than the 1-2 hr absolute answer exams from many orgs.
I think where Gary nailed it on the head is you have to be a good developer BEFORE you can be a good at secdev. Poorly written code can not be trusted. It cannot be safe. The rest is moot. I have never been one to trust a piece of paper. Education comes from doing. Book knowledge cannot be the only weapon in a secdev's experience portfolio. He needs war wounds. Real scars of experience. He needs to learn from his own experience and apply that as the field matures and grows. I see far too many people who think because they opened Ken Van Wyk's, Michael Howard's or Gary McGraw's books that they now get secdev. Without actually applying that knowledge transfer. Review their code, and its far from absolute. Especially in failure code paths. Don't get me wrong... its essential reading. But its not enough. Doing is. In the immortal words of Yoda... "Do or do not. There is no try.". I wonder if a bigger problem is that corps are relying on these certifications to weed out the bad apples? Does NOT having CSSLP mean the candidate sucks at secdev? Or the reverse, can anyone who passed the CSSLP be trusted to get it right all the time? Absolute security is a fallacy. As is perfect code. With enough money and motive, anything can be breached. A piece of paper won't stop that. Nor that crappy piece of code that I didn't properly threat model 15 years ago that is still in use today. -- Regards, Dana Epp Microsoft Security MVP On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin <kevin.w...@qwest.com> wrote: > > Gary McGraw wrote... > >> Way back on May 9, 2007 I wrote my thoughts about >> certifications like these down. The article, called >> "Certifiable" was published by darkreading: >> >> http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 > > I just reread your Dark Reading post and I must say I agree with it > almost 100%. The only part where I disagree with it is where you wrote: > > The multiple choice test itself is one of the problems. I > have discussed the idea of using multiple choice to > discriminate knowledgeable developers from clueless > developers (like the SANS test does) with many professors > of computer science. Not one of them thought it was possible. > > I do think it is possible to separate the clueful from the clueless > using multiple choice if you "cheat". Here's how you do it. You write > up your question and then list 4 or 5 INCORRECT answers and NO CORRECT > answers. > > The clueless ones are the ones who just answer the question with one of > the possible choices. The clueful ones are the ones who come up and argue > with you that there is no correct answer listed. ;-) > > -kevin > --- > Kevin W. Wall Qwest Information Technology, Inc. > kevin.w...@qwest.com Phone: 614.215.4788 > "It is practically impossible to teach good programming to students > that have had a prior exposure to BASIC: as potential programmers > they are mentally mutilated beyond hope of regeneration" > - Edsger Dijkstra, How do we tell truths that matter? > http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html > > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________