I am the designated certification hog (see sigblok) for my group, which
does source code security analysis and pen testing. So I'm fairly
familiar with what goes into getting and keeping these certs. And I
don't think that a CISSP is nearly specific enough for software source
code security
Now,
I don't think I follow, Mike... how do you think Common Criteria or FIPS
140-2 have anything to do with this topic? Accreditation programs are
useful, but only to the degree that they're underpinned by quality
standards, quality technical testing, and competent development programs
concerned with d
Thanks for that excellent and detailed response, Steve. A few follow-up
questions:
1) What sort of charter and executive support was/is necessary to
establish a group like SSG, and to continue building on it? In
particular, I wonder about how the mandate was established, and then
supported over the
I'm not even sure why we're talking about CISSPs in this regard. Having
a CISSP proves nothing; it's merely a blind HR/recruiter checklist item.
I've personally met dozens of CISSPs who can't answer the most basic of
security questions.
The short-term comes down to what Gary talked about recently,
On 1/11/2010 3:42 PM, John Steven wrote:
> As a last resort, might I suggest using inheritance and encapsulation
to stitch together framework-provided cut points and ESAPI code.
This is where ESAPI will evolve. For starters, we need to get our base
controls right. :) This is the hallmark of compl
Paco, these are really great comments and will be really useful for us
in improving the doc prior to release as an OWASP project.
One aspect of the paper that I noticed you referenced a few times is
the set of requirements for authentication. I agree this isn't
normally the kind of thing a framewo
> we start to create standards for how Security Controls should behave [and
basically the rest of the post]
I submit ASVS for your consideration. If one is further concerned about
building blocks in the environment, check out Common Criteria and FIPS
140-2.
Also,
There have also been discussions
My view is that the key to make this work is to create the ESTAPI, which is
the Enterprise Security *Testing* API
This way we would have (for every language):
- *ESAPI Interfaces* - which describe the functionality that each
security control should have
- *ESTAPI* - Unit Tests that check
On Jan 12, 2010, at 9:23 AM, Rohit Sethi wrote:
> Many of us have argued that the features of underlying web
> applications frameworks will make a major impact on the security of
> the individual applications built on top of them.
This is timely, relative to John Steven's recent discussion (re: E
The software security problem is a huge problem. There are not enough
CISSPs to even think about solving this problem.
CISSPs probably should have a tactical role helping categorize,
classify, and facilitate getting things done. Scanner jockeys and
network security folk will lead the operational c
For those who might be interested. There are still a couple weeks until the
submission deadline
Karen Mercedes Goertzel, CISSP
Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com
---
Special Issue of IJSSE
Theme: Software Safety & Dependability - the Art of Engineering Trust
11 matches
Mail list logo