Re: [SC-L] Darkreading: Secure Coding Certification
* Johan Peeters: I agree that multiple choice alone is inadequate to test the true breadth and depth of someone's security knowledge. Having contributed a few questions to the SANS pool, I take issue with Gary's article when it implies that you can pass the GSSP test while clueless. But I guess you can fail it because your views are too refined (and you take too long to make your choices). After all, there are different schools of thought when it comes to secure coding and its methodologies. For instance, summing up buffer overflows or directory traversals under input validation is somewhat debatable. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Secure Coding Certification
On Mon, 14 May 2007, McGovern, James F (HTSC, IT) wrote: 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT professionals such as those who work in large enterprises have no motivation to pursue. Only vendors have jumped on the bandwagon? The software developers are the ones we WANT jumping on the bandwagon. But it's not just those two. The initial announcement of these exams featured representatives from several large US government organizations who said they need this. Other major US organizations need this and want this, but they aren't saying so publicly. SANS did a survey of over 300 organizations that included a lot of software consumers. 3. It needs to be more language agnostic. Folks who code in Smalltalk, Ruby or scripting languages should not be treated as second class citizens The current tests are designed to handle specific skills in specific, prominent languages. Other tests might come out as a result of demand. 4. I would not measure experience but desire to pursue knowledge. This would be great, but I'm not sure how you could actually test it. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Secure Coding Certification
On Sat, 12 May 2007, ljknews wrote: but based on biases I see on this list, I tend to believe that those who make such a certification scheme would bias it toward: Programming done in C and derivative languages (C++, Java, etc.) Programming relying on TCP/IP neither of which is relevant to my endeavors. The test is intended to cover the language areas and programming idioms that are most likely to be taught at the university level and used by programmers with only a couple years' experience. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___