Re: [SC-L] any one a CSSLP is it worth it?
On 4/12/2010 2:03 PM, Matt Parsons wrote: I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP. I just bought the review book. Is it worth getting this certification? Is it going to raise my rates and help me get more contracts? Is the GIAC better or should I pursue both or neither? I wrote about the first concept of the CSSLP on my blog. Any feedback would be greatly appreciated. http://parsonsisconsulting.blogspot.com/ It's supposed to be on track to become a US DoD cert in 8570. If you are in that world that will help. Meanwhile it's part of our brag sheet as we work on getting new business in the software assurance area among our DoD customers. We've got two of us on our team from early in the experience assessment phase. Not sure how much it helps sell things over and above our reputation among our customers but we keep it out there. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Hi Matt, Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 You can find all of my columns written over the last six years here: http://www.cigital.com/~gem/writings/. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 4/12/10 3:03 PM, Matt Parsons mparsons1...@gmail.com wrote: I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP. I just bought the review book. Is it worth getting this certification? Is it going to raise my rates and help me get more contracts? Is the GIAC better or should I pursue both or neither? I wrote about the first concept of the CSSLP on my blog. Any feedback would be greatly appreciated. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:3354004848_806392] [cid:3354004848_800597] inline: image.jpginline: image.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
Keyboard Cowboy, Education is always a good thing. I think kids should have the opportunity to learn both sides of software security. Great suggestion. Kids, by nature, are drawn to things that are taboo and demonized. Which hacking no doubt falls into, and according to Daniel, also Angelina Jolie. We can find great analogies to the hacker kids problem in recent studies done on teenage behaviors: The Bible Belt, particularly evangelicals in the south, have the highest rates of teen sex and pregnancy in the US. Telling kids to abstain clearly doesn't work as well as teaching them how things work, and in particular careful education surrounding the use of safety devices. To the exact point you made in your blog. We see the exact same statistics surrounding firearm safety and education (in the US, again). Children (and adults) exposed to firearm safety and education rarely fall into firearm-accident statistics. Studies indicate that it is the kids we hide things from, that want to pull the trigger to see what happens when they discover the [taboo]. In locations where children have open and honest instruction, and are provided with viable outlets for their firearms (say, condoms) we find discharge accident rates to be lower per-capita. Again - the same point your blog post was making. --- The Bad Peoples: None of this does anything to solve the Bad People hacking problem. That solution requires Guns or Religion, which is far off topic for this list. As Daniel pointed out - there's also a huge problem in webappsec with *poor people*. So, I think Daniel has some ideas for dealing with them too, but I, the reader, am not sure I understand what he is suggesting. When he comes back through the door maybe we'll learn more. Definitely an exciting subject! --- Arian Evans Solipsistic Software Security Sophist On Tue, Apr 13, 2010 at 6:33 AM, Daniel Herrera daherrera...@yahoo.comwrote: DARE didn't stop youth drug use, Sex Ed didn't stop teen pregnancy rates, Why would your program stop/reduce script kiddies... j/k In all seriousness I think your perspective on the cost/benefit is really skewed on this one. Attacks against US assets are a method of revenue generation in several impoverished areas around the world. Places where the infrastructure would have very little means to even begin implementing a program like you described without serious financial aid. And once such a system was put in place the financial drive would still push people to participate in this behavior to feed their families, pay their rent, etc. In the end I would try to think about the drivers behind malicious behavior a lot more closely. Sure there are examples were hacking has been romanticized in the past within our society but not enough for some kid to watch the movie HACKERS and then decide to go after his grandmothers credit card because then he would get to date Angelina Jolie. (well other than me) I wrote this on my way out the door so my point is in there some where but probably should go through some back and forth to get cleared up let me know if you, the reader, disagrees. Regards, Daniel --- On *Mon, 4/12/10, Matt Parsons mparsons1...@gmail.com* wrote: From: Matt Parsons mparsons1...@gmail.com Subject: [WEB SECURITY] RE: How to stop hackers at the root cause To: 'Matt Parsons' mparsons1...@gmail.com, SC-L@securecoding.org Cc: owaspdal...@utdallas.edu, 'Webappsec Group' websecur...@webappsec.org, webapp...@securityfocus.com Date: Monday, April 12, 2010, 9:51 PM I have published a blog post on how I think we could potentially stop hackers in the next generation. Please let me know what you think of it or if it has been done before. http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.comhttp://mc/compose?to=mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [image: 0_0_0_0_250_281_csupload_6117291] [image: untitled] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Podcast Series update
Hello SC-L, We have a few new shows on the OWASP Podcast Series that may interest you. They include: Show 64: An interview with Andy Ellis (Director of Security @ Akamai) http://www.owasp.org/download/jmanico/owasp_podcast_64.mp3 Show 65: AppSec Roundtable with Boaz Gelbord, Dan Cornell, Jeff Williams and Johannes Ullrich (File Upload Security): http://www.owasp.org/download/jmanico/owasp_podcast_65.mp3 Show 66: An interview with Brad Arkin (Director of Product Security and Privacy at Adobe) http://www.owasp.org/download/jmanico/owasp_podcast_66.mp3 PS: You can subscribe to our RSS feed here: http://www.owasp.org/download/jmanico/podcast.xml ..or do the same via iTunes http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 ..or see our show list on the web http://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows PPS: The OWASP Podcast Series is non-commercial podcast released under the Creative Commons/ShareAlike license. Thanks for listening! -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Gary McGraw wrote... Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you cheat. Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
ACM SIGCSE will be pushing more information shortly on the K-12 program suggestions. I've heard it will include security. -Rob On Tue, Apr 13, 2010 at 9:27 PM, Jeremiah Heller jerem...@inertialbit.net wrote: an interesting point. if it were not socially unacceptable to perform ethnic cleansing it would still occur at the levels indicated in those examples. if it were not for the civil rights movement and the eventually wide-spread acceptance of the idea that discrimination based on superficial properties was bad, there would still be slavery. socially, groups clashed (and some still do) over their ideologies, which were used as a basis for logic and perceived sound-judgement. however the more we learn about the universe/world around us the more we understand how little we know and that any judgement can only be temporary, until more knowledge is gained. is it more ideologically sound to feed ones family or to obey a law which would allow them to starve simply due to a lack of other economic stimuli? i'm not speaking from any hard data, but i doubt that many third-world countries have a high local market for security experts, web developers, graphic designers, etc. so what is a poor-third-worlder with an old hand-me-down PC and no job to do? do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:) On Apr 13, 2010, at 3:14 PM, Carl Vincent wrote: social acceptance is a horrible way to enforce change anyway. Japanese internment camps, the Holocaust, the cival rights wars of the American 40's, 50's, and 60's, the American red scare, the gay bashing that goes on to this day. All examples of large groups of people often doing things they don't agree with in order to behave according to socially acceptable tenets. ... Sounds like bad juju in my book -_- Paul Schmehl wrote: --On Monday, April 12, 2010 23:51:27 -0500 Matt Parsons mparsons1...@gmail.com wrote: I have published a blog post on how I think we could potentially stop hackers in the next generation. Please let me know what you think of it or if it has been done before. Essentially your argument is that education can solve the problem of bad hacking. While I certainly think education can help, I think there will always be an element of society that is irredeemably bad and cannot be gotten rid of (or corrected, if you will) through education. Even societal shunning, which makes bad behavior so socially unacceptable that it must hide in the shadows, does not rid us of those who refuse to behave according to acceptable tenets. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Having a CISSP certification I know it is more than just passing the test. You are not certified as a CISSP until you have another CISSP attest to your qualifications and you submit a detail resume of your security experience by domain to (ISC)2 auditors. If the auditors do not feel your experience is sufficient you don't get the certification. I cannot discuss the test or the testing strategy [(ISC)2 CISSP NDA] but (ISC)2 makes it known that not all the questions on the exam have the same point value and some questions have no point value at all. Dave David Wieneke, CISSP, GSEC, MIT IT Security Engineer Security Operations CUNA Mutual Group 1.800.356.2644 Ext. 7753 dave.wien...@cunamutual.com Common Purpose. Uncommon Commitment. All information contained in this message is privileged, confidential and intended for the sole use of the individual(s) named above. If you are not the intended recipient, you are advised that any dissemination, distribution or copying of this communication is prohibited. If you are not the addressee or the person responsible for delivering this to the addressee, or have received this e-mail in error, please notify us immediately by returning the original message to the sender by e-mail and deleting the material from any computer, and destroying printed correspondence. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Wall, Kevin Sent: Wednesday, April 14, 2010 10:25 AM To: 'Gary McGraw'; Matt Parsons; Secure Code Mailing List Subject: Re: [SC-L] any one a CSSLP is it worth it? Gary McGraw wrote... Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?artic leID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you cheat. Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
On 14 Apr 2010, at 16:24, Wall, Kevin wrote: I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. This is the part of the article I disagree with most, as well. Asking whether multiple choice exams can discriminate between clueful and clueless developers is a valid and important question to ask. However, I believe few professors of computer science could discriminate between clueful and clueless developers if developer and clue have industry-relevant definitions. What passes for development in an academic sense and what is required for clue in an academic sense are usually defined on very different axes than the axes used in industry. So, I think asking college professors whether standardised tests are valid in this respect is posing the important question to the wrong people. There are notorious disconnects between what academics and industry value. Perhaps if you asked the folks who hire, promote, and evaluate developers, they could give a better opinion as to whether clue and standardised test performance correlate. Even then, I'd prefer to see something somewhat objective, like months between promotions versus certifications held, as opposed to calling a bunch of CIOs or VPs of Engineering and asking how well they think tests work. Having said this, I am a CSSLP and I have helped write a ton of questions for the exam. I can tell you we struggle long and hard to write meaningful questions that actually discriminate a practitioner who has experience from a random, unqualified candidate. We use follow well-established psychometric principles when designing the questions. The whole test creation/maintenance process is ANSI-approved and audited. Careful statistics are kept on the pass/fail rates on individual questions to discard questions that do not discriminate well. Over time, the question bank is maintained to remove questions that don't test well and to write new questions that represent changes in the landscape. Some of you will undoubtedly dismiss this, saying garbage in, garbage out, regardless of how pristine the pipes are. I believe that's too simplistic a view. Paco ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely unrealistic one. I for one, would be completely happy to go back to software development / systems programming if all the security issues completely disappeared. But unfortunately, I don't think we ever have to worry about this happening. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k And of course, that is a good thing. After all, once the first sentient AI takes control of all the world's computers to subjugate all humanity, we have to have a way to fight back. Evil h40rs to the rescue! ;-) until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. I agree. Even though one risks ending up with smarter criminals, by and large if one addresses the poverty issues most people ultimately seem to make the right decisions in the best interests of society. I think for many, once their curiosity is satisfied and the novelty wears off they put these skills to good use. At least it seems to me a risk worth taking. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:)o Jeremiah, you do know that you're not supposed to stick your *head* in the microwave, don't you? No wonder you're getting the warm fuzzies. :) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] Re: [owaspdallas] Re: [WEB SECURITY] RE: How to stop hackers at the root cause
You are absolutely right Paul. The problems with ignorance and abstinence-based approaches to child education extend out well beyond the Bible Belt, and can be found all over the US. I should have cast a wider net. Also, great job at ruining a good laugh. http://aspe.hhs.gov/hsp/abstinence07/ http://www.washingtonpost.com/wp-dyn/content/article/2009/03/18/AR2009031801597.html?hpid=topnewssub=AR http://www.salon.com/life/broadsheet/feature/2009/03/19/teen_birthrate/index.html http://dir.salon.com/topics/sex_education/ The point here is that while education is valuable -- *comprehensive* education is even more valuable. This is a loaded subject and people with belief-system drivers can get quite passionate about it. I'm not interested in a passionate discussion about this subject. I think the thread will turn into the tarpit of insanity if it goes further so I suggest we be done, --- Arian Evans On Wed, Apr 14, 2010 at 10:29 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On Tuesday, April 13, 2010 15:21:26 -0700 Arian J. Evans arian.ev...@anachronic.com wrote: Keyboard Cowboy, Education is always a good thing. I think kids should have the opportunity to learn both sides of software security. Great suggestion. Kids, by nature, are drawn to things that are taboo and demonized. Which hacking no doubt falls into, and according to Daniel, also Angelina Jolie. We can find great analogies to the hacker kids problem in recent studies done on teenage behaviors: The Bible Belt, particularly evangelicals in the south, have the highest rates of teen sex and pregnancy in the US. Telling kids to abstain clearly doesn't work as well as teaching them how things work, and in particular careful education surrounding the use of safety devices. To the exact point you made in your blog. This is totally off topic, but I simply cannot let this slide. People like to throw out canards like this as if they are facts, and seldom are they ever questioned. First of all, your assertion isn't borne out by the data. Secondly, you've not cited a single study to back up your assertion, in particular the claim that the lack of sex education (which you assume occurs due to religious objections) is responsible for the claimed, but not factual, higher pregnancy rates. According to a study done by the Guttmacher Institute in 2000 [1] (The Guttmacher Institution is a pro-choice group that advocates for sex education), here are the state rankings by rates of pregnancy and rates of abortion 1) Nevada 4 2) Arizona 19 3) Mississippi 28 4) New Mexico 18 5) Texas 26 6) Florida 7 7) California 5 8) Georgia 22 9) North Carolina 17 10) Arkansas 41 11) Delaware 8 12) Hawaii 6 Of the top twelve states, only half are what could be considered Bible Belt states, so I think you have to look elsewhere for your explanation of teen pregnancy rates. OTOH, it's pretty clear the Bible Belt states are significantly less likely to abort a teen pregnancy, which may or may not be an indicator of religious influence. (I'm not prepared to say it is without data to support it.) About.com also has statistics about teen birth rates [2], and their statistics don't bear out your assertion either. Their stats are based on the 2006 Guttmacher Institute report, and the rankings have changed very little. States ranked by rates of pregnancy among women age 15-19 (pregnancies per thousand): 1. Nevada (113) 2. Arizona (104) 3. Mississippi (103) 4. New Mexico (103) 5. Texas (101) 6. Florida (97) 7. California (96) 8. Georgia (95) 9. North Carolina (95) 10. Arkansas (93) States ranked by rates of live births among women age 15-19 (births per thousand): 1. Mississippi (71) 2. Texas (69) 3. Arizona (67) 4. Arkansas (66) 5. New Mexico (66) 6. Georgia (63) 7. Louisiana (62) 8. Nevada (61) 9. Alabama (61) 10. Oklahoma (60) Again, the so-called Bible Belt doesn't demonstrate a propensity to get pregnant at any higher rates than other parts of the country but clearly bears those children to term at a higher rate than other areas. Furthermore, the most recent statistics from the government [3], while they do show a change in the rankings, still do not bear out your assertion that the Bible Belt, particularly evangelicals in the south, have the highest teen pregnancy rates. As I've shown birth rates do not equal pregnancy rates. You have to factor in abortions as well. You may well have been misled by MSNBC [4] (but then who hasn't been misled by MSNBC), because they recently reported a study that found a correlation between the Bible Belt and birth rates, but that study doesn't address pregnancy or abortion, so it's misleading. The study also appears to
Re: [SC-L] any one a CSSLP is it worth it?
Not sure that would work either though. Many secdev people are introverts. In their shell, they won't debate the validity of a position, including a wrong answer. Zone that into a response in the exam. It's one thing to say there is no correct answer, but the way the questions are set at ISC2, its what is the BEST answer out of this list. By the end of the 6 hours your eyes are glossed over as you actually had to think. But its still better than the 1-2 hr absolute answer exams from many orgs. I think where Gary nailed it on the head is you have to be a good developer BEFORE you can be a good at secdev. Poorly written code can not be trusted. It cannot be safe. The rest is moot. I have never been one to trust a piece of paper. Education comes from doing. Book knowledge cannot be the only weapon in a secdev's experience portfolio. He needs war wounds. Real scars of experience. He needs to learn from his own experience and apply that as the field matures and grows. I see far too many people who think because they opened Ken Van Wyk's, Michael Howard's or Gary McGraw's books that they now get secdev. Without actually applying that knowledge transfer. Review their code, and its far from absolute. Especially in failure code paths. Don't get me wrong... its essential reading. But its not enough. Doing is. In the immortal words of Yoda... Do or do not. There is no try.. I wonder if a bigger problem is that corps are relying on these certifications to weed out the bad apples? Does NOT having CSSLP mean the candidate sucks at secdev? Or the reverse, can anyone who passed the CSSLP be trusted to get it right all the time? Absolute security is a fallacy. As is perfect code. With enough money and motive, anything can be breached. A piece of paper won't stop that. Nor that crappy piece of code that I didn't properly threat model 15 years ago that is still in use today. -- Regards, Dana Epp Microsoft Security MVP On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin kevin.w...@qwest.com wrote: Gary McGraw wrote... Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you cheat. Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.com Phone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
On Apr 14, 2010, at 11:19 AM, Wall, Kevin wrote: Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely unrealistic one. I for one, would be completely happy to go back to software development / systems programming if all the security issues completely disappeared. But unfortunately, I don't think we ever have to worry about this happening. Indeed, I'm in the happy position of developing with an eye on security. Without the excellent work done by the 'good hackers' (and 'bad' alike, come to that) I have no doubt my job would be much more difficult. My comment was more playful than thoughtful but it is an interesting paradox... for any job. Luckily there's a lot left to learn! the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k And of course, that is a good thing. After all, once the first sentient AI takes control of all the world's computers to subjugate all humanity, we have to have a way to fight back. Evil h40rs to the rescue! ;-) Hmmm, maybe I should switch fields... until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. I agree. Even though one risks ending up with smarter criminals, by and large if one addresses the poverty issues most people ultimately seem to make the right decisions in the best interests of society. I think for many, once their curiosity is satisfied and the novelty wears off they put these skills to good use. At least it seems to me a risk worth taking. I agree that the risk of educating all is one worth taking. I like to think that objective education (if possible) would drive people over time to work toward ends that benefit society as a whole. At the same time it seems that this would ultimately require people to come from similar backgrounds/experiences or to at least draw similar conclusions from those, however varied. Perhaps a good thing but then could any thinking 'outside the box' really occur? first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:)o Jeremiah, you do know that you're not supposed to stick your *head* in the microwave, don't you? No wonder you're getting the warm fuzzies. :) Ahh! That explains it! I suppose I should stop drooling over that warming cup of coffee:) What I find interesting (as a commentary about human behavior) is that the microwave was inspired by early work on radar and yet we took this idea and applied it to all sorts of technologies and currently blanket the earth with a wide-spectrum of waves of which we barely understand the broader implications of; furthermore very little research (to my knowledge) has been done to explore any side-effects. Is it simply too profitable/beneficial an enterprise to consider the risks? It took over 100 years to consider that burning fossil-fuels might have some negative impacts, both to our immediate health and environment. My dad related an interesting story to me recently about my grandfather who, while working at Boeing on a radar project, met a couple of radar techs who would keep their coffee warm by balancing it on the radar console between them. They also experienced what eventually became severe knee pain but each only in one knee and as they always sat in the same spot, it was in the knee next to the console. I'm not sure what the final diagnosis was but initially it was believed they were simply cooking their joints! Something to consider as we sit typing/reading and bathe in our lovely wifi cell networks (not to mention digital tv, which always seems to go on the fritz when I've got my head... er, coffee in the microwave:) From http://www.gallawa.com/microtech/history.html == Like many of today's great inventions, the microwave oven was a by-product of another technology. It was during a radar-related research project around 1946 that Dr. Percy Spencer, a self-taught engineer with the Raytheon Corporation, noticed something very unusual. ... == Sorry to get off-topic like this, but at the same time general considerations about humanities' approach to risk management may have implications useful in the security field, who knows. Thanks for the fun discussion! - jeremiah ___ Secure
Re: [SC-L] any one a CSSLP is it worth it?
Dana Epp wrote: Not sure that would work either though. Dana, My comment was meant tongue-in-cheek. Guess I used the wrong emoticon. Figured that ';-)' would work 'cuz I never can remember the one for tongue-in-cheek. I've seen several variations of the latter... :-? :-Q :-J -) Take your pick. Good in depth analysis though. Seriously. And I agree with you completely. In my experience as an adjunct faculty member teaching a master's level Computer Security course (based in part on the McGraw/Viega book as well as Ross Anderson's _Security Engineering_) for 6 yrs, I came to the conclusion that multiple guess (as I call them) alone only proves how well someone memorizes something, at best, or how clueless people are (if they get incorrect answers) at worst. I would argue that most of academia it is unsuited for discerning cluefulness the the real world. Over the course of 30+ yrs in IT (yes, I am an old fart!), I've seen all too many people that exceled in academia but were miserable disappointments in industry. In fact, to that end, quality guru Demming is rumored to have said about (then) ATT Bell Labs: Bell Labs only hires the top 10% of graduatesc...and they deserve what they get! There is no substitute for real experience. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___