[SC-L] Information Protection Policies

2007-03-08 Thread McGovern, James F (HTSC, IT)
Hopefully lots of the consultants on this list have been wildly successful in getting Fortune enterprises to embrace secure coding practices. I am curious to learn of those who have also been successful in getting these same Fortune enterprises to incorporate the notion of secure coding

[SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
If you have two individuals, one of which has been practicing secure coding practices and encouraging others to do so for years while another individual was involved with firewalls, intrusion detection, information security policies and so on, are they both information security professionals or

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
actually just the former. Robert Garigue characterized firewalls, nids, et al as good network hygiene. The equivalent of a dentist telling you to brush your teeth. An infosec pro needs much more depth than that. The model is charlemagne

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Shea, Brian A
The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply denotes someone who works to make things secure. You can't be secure with only application security any more than you can be secure with only

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
Traditionally InfoSec folks defined themselves as being knowledgable in firewalls, policies, etc. Lately, many enterprises are starting to recognize the importance of security within the software development lifecycle where even some have acknowledged that software is a common problem space for

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Michael Silk
On 3/9/07, McGovern, James F (HTSC, IT) [EMAIL PROTECTED] wrote: Traditionally InfoSec folks defined themselves as being knowledgable in firewalls, policies, etc. Lately, many enterprises are starting to recognize the importance of security within the software development lifecycle where even

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
What Garigue was trying to say is that deploying a firewall on a network is not security's mandate; it is _part of_ running a network. Basic hygiene. Brushing your teeth is part of having teeth. Deploying anti-virus on a windows desktop is not security; it is _part of_ operating a desktop. This is

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Greg Beeley
[...] I do suspect that some of it is tied to the romance of certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. [...] That's

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Steven M. Christey
On Thu, 8 Mar 2007, Greg Beeley wrote: Perhaps one of the issues here is that if you are in operations work (network security, etc.), there are more aspects of the CISSP that are relevant to your daily work. In software development, there is usually just the one - app development sec - that