[SC-L] SC-L] What defines an InfoSec Professional?

2007-03-11 Thread Jason Grembi

I'm not a CISSP person just because my clients haven't required it
yet.  However,
they are concerned with application security and restricting access to those
who are not authorized (in addition to XSS, SQL injection, and the usual
list of suspects).  I call myself a 'secure developer' only because I *think
* I know how to code countermeasures and I am aware of the types of attacks
an application can go through.



I see the field of programming naturally adopting security techniques in
their code the same way quality techniques crept into our lives.   Remember
when a person could code a few web screens and call himself a web developer
without ever one considering heap management, efficient SQL, and frameworks
that helped managed concurrent users.  I see security and all its coding
techniques following in the same path.  Eventually, it will not only be
required but assumed by the clients.  Those who can't adapt won't be hired.




I have actually stated working security related questions into our interview
process.  If I hire a web developer and he/she has never heard of social
engineering, I move on to the next candidate.



Just my thoughts.



Jason Grembi

Lead Web Developer
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread Michael S Hines
I respectfully disagree.

The need for a firewall or IDS is due to the poor coding of the receptor of
network traffic - so you have to prevent bad things from reaching the
receptor (which is the TCP/IP stack and then the host operating system - and
then the middleware and then the application).

The reason you have to prevent bad things from reaching the receptor (OS) is
because of poor coding practices in the receptor (OS).

In terms of state diagrams - you have an undefied state in the code - which
produces unpredictable actions.  Technically speaking, it's undesireable but
predictable actions - that's how the software can be used to gain
unauthorized entry.  And once someone finds the hole - the very mechanism
used for protection (networks) is used to spread the story.  Kind of like
the farmer eating his seed corn.   :)

Regarding roles - there are many who do Infosec - in many different roles.
Law makers, lawyers, Boards of Directors, management, policy staff,
technical staff, network engineers, programmers, quality assurance staff,
users, ethical hackers, unethical hackers, et al.

I'm not sure we're moving the industry forward by trying to say I am one
but You are not - are we?

Mike Hines
-
Michael S Hines
[EMAIL PROTECTED]


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread Benjamin Tomhave
I'm gonna have to go ahead and disagree with you, there, Michael.  You're
looking at things far too narrowly.  And here's a very simple example:

Small business.  Single DMZ.  Hosts DB and Web App on separate platforms. 
Web app needs to make back-end calls to DB.  There's no reason whatsoever
why the DB itself needs to be directly exposed to the Internet.  Thus, you
implement a firewall that restricts ingress access on ports 80/443 to the
web server only.

This scenario would exist irregardless of the quality of the underlying
code, based on principles of default deny, defense in depth, segregation
of duties, etc.  In other words, don't put all your eggs in the securely
coded basket.

---
On the original topic... I don't think titles or certifications or even
security-related actions make a security professional.  I know personnel
within security departments who perform access management tasks without a
solid understanding of what all is contained within infosec.  They don't
know the security triad (C-I-A), they don't necessarily have a sound
understanding of why they're doing what they do, etc.  Yet they have
security in their titles.

Similarly, I've interviewed many a CISSP who I would not consider to be an
infosec professional.  Just because you can memorize a few facts within
the 10 infosec domains does not mean you get it.  I would even go so far
as to say that just because a developer reads the OWASP Top 10 and then
begins performing input validation does not make them an infosec
professional.  It makes them a better developer.

Bottom line, then, is that a true infosec professional should be defined
as someone working in a dedicated security role who distinguishes
themselves by their level of knowledge, wisdom, and experience that can be
demonstrably applied within the infosec genre.

fwiw  tgif.

cheers,

-ben

-- 
Benjamin Tomhave, MS, CISSP, NSA-IAM, NSA-IEM
[EMAIL PROTECTED]
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/profile?viewProfile=key=1539292
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/

We must scrupulously guard the civil liberties of all citizens, whatever
their background. We must remember that any oppression, any injustice, any
hatred is a wedge designed to attack our civilization.
-President Franklin Delano Roosevelt

On Fri, March 9, 2007 7:54 am, Michael S Hines wrote:
 I respectfully disagree.

 The need for a firewall or IDS is due to the poor coding of the receptor
 of
 network traffic - so you have to prevent bad things from reaching the
 receptor (which is the TCP/IP stack and then the host operating system -
 and
 then the middleware and then the application).

 The reason you have to prevent bad things from reaching the receptor (OS)
 is
 because of poor coding practices in the receptor (OS).

 In terms of state diagrams - you have an undefied state in the code -
 which
 produces unpredictable actions.  Technically speaking, it's undesireable
 but
 predictable actions - that's how the software can be used to gain
 unauthorized entry.  And once someone finds the hole - the very mechanism
 used for protection (networks) is used to spread the story.  Kind of like
 the farmer eating his seed corn.   :)

 Regarding roles - there are many who do Infosec - in many different roles.
 Law makers, lawyers, Boards of Directors, management, policy staff,
 technical staff, network engineers, programmers, quality assurance staff,
 users, ethical hackers, unethical hackers, et al.

 I'm not sure we're moving the industry forward by trying to say I am one
 but You are not - are we?

 Mike Hines
 -
 Michael S Hines
 [EMAIL PROTECTED]


 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread SC-L Subscriber Dave Aronson
[EMAIL PROTECTED] writes:

 certifications such as CISSP whereby the exams that
 prove you are a security professional talk all about
 physical security and network security but really don't
 address software development in any meaningful way.

Perhaps what is needed is a separate certification.  It would be nice to know 
that someone knows how to write software in a secure manner, but it's not 
necessary that they know all about physical security, firewall rules, etc.  It 
could even be done at multiple levels, like Sun's Java certs, to certify 
knowledge of secure design principles vs. secure *implementation* principles, 
maybe even going onward to principles of building security into the process.  
Something like, say, Certified Secure Programmer, Coder, and Software Engineer, 
respectively.

  Would be intriguing for folks here that blog to discuss ways

...in their blogs?  rant size=microThat's not discussion, that's 
pontificating.  It also detracts from discussion, by fracturing it./rant  
Discussion is what we're having *here*, so whether someone blogs is irrelevant.

-Dave



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
If you have two individuals, one of which has been practicing secure coding 
practices and encouraging others to do so for years while another individual 
was involved with firewalls, intrusion detection, information security policies 
and so on, are they both information security professionals or just the later?


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
actually just the former. Robert Garigue characterized firewalls, nids, et al 
as good network hygiene. The equivalent of a dentist telling you to brush your 
teeth. An infosec pro needs much more depth than that. The model is charlemagne

http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html

-gp
-Original Message-
From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
Date: Thursday, Mar 8, 2007 10:27 am
Subject: [SC-L] What defines an InfoSec Professional?

If you have two individuals, one of which has been practicing secure coding=
 practices and encouraging others to do so for years while another individu= al 
was involved with firewalls, intrusion detection, information security p= 
olicies and so on, are they both information security professionals or just=
 the later?


* This 
communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended 
recipient, any use, copying, disclosure, dissemination or distribution is 
strictly prohibited.  If you are not the intended recipient, please notify the 
sender immediately by return e-mail, delete this communication and destroy all 
copies.
*



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Shea, Brian A
The right answer is both IMO.  You need the thinkers, integrators, and
operators to do it right.  The term Security Professional at its basic
level simply denotes someone who works to make things secure.

You can't be secure with only application security any more than you can
be secure with only firewalls or NIDs.  The entire ecosystem and
lifecycle must be risk managed and that is accomplished by security
professionals.  Each professional may have a specialty due to the
breadth of topics covered by Security (let's not forget our Physical
Security either), but all would be expected to act as professionals.
Professionals in this definition being people who are certified and
expected to operate within specified standards of quality and behavior
much like CISSP, CPA, MD, etc.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson
Sent: Thursday, March 08, 2007 9:13 AM
To: [EMAIL PROTECTED]
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] What defines an InfoSec Professional?

actually just the former. Robert Garigue characterized firewalls, nids,
et al as good network hygiene. The equivalent of a dentist telling you
to brush your teeth. An infosec pro needs much more depth than that. The
model is charlemagne

http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html

-gp
-Original Message-
From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
Date: Thursday, Mar 8, 2007 10:27 am
Subject: [SC-L] What defines an InfoSec Professional?

If you have two individuals, one of which has been practicing secure
coding=
 practices and encouraging others to do so for years while another
individu= al was involved with firewalls, intrusion detection,
information security p= olicies and so on, are they both information
security professionals or just=
 the later?



* This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution
is strictly prohibited.  If you are not the intended recipient, please
notify the sender immediately by return e-mail, delete this
communication and destroy all copies.

*



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
Traditionally InfoSec folks defined themselves as being knowledgable in 
firewalls, policies, etc. Lately, many enterprises are starting to recognize 
the importance of security within the software development lifecycle where even 
some have acknowledged that software is a common problem space for those things 
traditionally thought of as infrastructure. 

The harder part is not in terms of recognizing the trend but in terms of folks 
from the old world acknowledging folks from the new world (software 
development) also as security professionals. I haven't seen many folks make 
this transition. I do suspect that some of it is tied to the romance of 
certifications such as CISSP whereby the exams that prove you are a security 
professional talk all about physical security and network security but really 
don't address software development in any meaningful way.

Would be intriguing for folks here that blog to discuss ways for folks to 
transition / acknowledge respect not as just software developers with a 
specialization in security but in being true security professionals and treat 
them like peers all working on one common goal.

-Original Message-
From: Shea, Brian A [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] What defines an InfoSec Professional?


The right answer is both IMO.  You need the thinkers, integrators, and
operators to do it right.  The term Security Professional at its basic
level simply denotes someone who works to make things secure.

You can't be secure with only application security any more than you can
be secure with only firewalls or NIDs.  The entire ecosystem and
lifecycle must be risk managed and that is accomplished by security
professionals.  Each professional may have a specialty due to the
breadth of topics covered by Security (let's not forget our Physical
Security either), but all would be expected to act as professionals.
Professionals in this definition being people who are certified and
expected to operate within specified standards of quality and behavior
much like CISSP, CPA, MD, etc.


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Michael Silk

On 3/9/07, McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
wrote:


Traditionally InfoSec folks defined themselves as being knowledgable in
firewalls, policies, etc. Lately, many enterprises are starting to recognize
the importance of security within the software development lifecycle where
even some have acknowledged that software is a common problem space for
those things traditionally thought of as infrastructure.

The harder part is not in terms of recognizing the trend but in terms of
folks from the old world acknowledging folks from the new world (software
development) also as security professionals. I haven't seen many folks make
this transition. I do suspect that some of it is tied to the romance of
certifications such as CISSP whereby the exams that prove you are a security
professional talk all about physical security and network security but
really don't address software development in any meaningful way.

Would be intriguing for folks here that blog to discuss ways for folks to
transition / acknowledge respect not as just software developers with a
specialization in security but in being true security professionals and
treat them like peers all working on one common goal.




i hear you on this one.

australia, at least melbourne, still doesn't seem to have any idea of
software/application security professionals. almost all jobs that have
'security' in them, then go on to talk about all the firewalls you must know
how to configure. *sigh*. then there is the pen-testing side. there's should
be a new field, security design that accompanies application architect,
etc. then you have professional guidance of the security issues when
building for app.



-Original Message-

From: Shea, Brian A [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] What defines an InfoSec Professional?


The right answer is both IMO.  You need the thinkers, integrators, and
operators to do it right.  The term Security Professional at its basic
level simply denotes someone who works to make things secure.

You can't be secure with only application security any more than you can
be secure with only firewalls or NIDs.  The entire ecosystem and
lifecycle must be risk managed and that is accomplished by security
professionals.  Each professional may have a specialty due to the
breadth of topics covered by Security (let's not forget our Physical
Security either), but all would be expected to act as professionals.
Professionals in this definition being people who are certified and
expected to operate within specified standards of quality and behavior
much like CISSP, CPA, MD, etc.


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___





--
mike
00110001 3 00110111
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
What Garigue was trying to say is that deploying a firewall on a network is
not security's mandate; it is _part of_ running a network. Basic hygiene.
Brushing your teeth is part of having teeth. Deploying anti-virus on a
windows desktop is not security; it is _part of_ operating a desktop. This
is an important distinction, because it captures why so much security spend
is targeted at the wrong issues. Security evolved out of operations, and
today we all still live with this historical baggage.

If you want to operate a network or a desktop in an enterprise, you have
certain security responsibilities defined by information security
policy...perhaps even backed up mechanisms, good for you, but these have
little to do with information security, much like going to a dentist that
just told you to brush your teeth and gave you a tooth brush would have
extremely limited valueyet this is what we get from information security
groups across this great cyberland of ours.

I would point you to the fallacy of keeping up with the Jones' explored in
detail at the Justice League

http://www.cigital.com/justiceleague/2007/02/22/keeping-up-with-the-jones-se
curity-initiatives/

Security groups that help businesses make risk tradeoffs based on
functionality, time, and cost add value (you know just like software
development does).

Amateurs study cryptography; professionals study economics.
 -- Allan Schiffman

-gp


On 3/8/07 1:07 PM, Shea, Brian A [EMAIL PROTECTED] wrote:

 The right answer is both IMO.  You need the thinkers, integrators, and
 operators to do it right.  The term Security Professional at its basic
 level simply denotes someone who works to make things secure.
 
 You can't be secure with only application security any more than you can
 be secure with only firewalls or NIDs.  The entire ecosystem and
 lifecycle must be risk managed and that is accomplished by security
 professionals.  Each professional may have a specialty due to the
 breadth of topics covered by Security (let's not forget our Physical
 Security either), but all would be expected to act as professionals.
 Professionals in this definition being people who are certified and
 expected to operate within specified standards of quality and behavior
 much like CISSP, CPA, MD, etc.
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson
 Sent: Thursday, March 08, 2007 9:13 AM
 To: [EMAIL PROTECTED]
 Cc: SC-L@securecoding.org
 Subject: Re: [SC-L] What defines an InfoSec Professional?
 
 actually just the former. Robert Garigue characterized firewalls, nids,
 et al as good network hygiene. The equivalent of a dentist telling you
 to brush your teeth. An infosec pro needs much more depth than that. The
 model is charlemagne
 
 http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html
 
 -gp
 -Original Message-
 From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
 Date: Thursday, Mar 8, 2007 10:27 am
 Subject: [SC-L] What defines an InfoSec Professional?
 
 If you have two individuals, one of which has been practicing secure
 coding=
  practices and encouraging others to do so for years while another
 individu= al was involved with firewalls, intrusion detection,
 information security p= olicies and so on, are they both information
 security professionals or just=
  the later?
 
 
 
 * This communication, including attachments, is
 for the exclusive use of addressee and may contain proprietary,
 confidential and/or privileged information.  If you are not the intended
 recipient, any use, copying, disclosure, dissemination or distribution
 is strictly prohibited.  If you are not the intended recipient, please
 notify the sender immediately by return e-mail, delete this
 communication and destroy all copies.
 
 *
 
 
 
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC
 (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 ___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Greg Beeley
  [...] I do suspect that some of it is tied to the romance of
  certifications such as CISSP whereby the exams that prove you are a
  security professional talk all about physical security and network
  security but really don't address software development in any meaningful
  way. [...]

That's interesting.  While I have not taken the CISSP, I have studied
it a bit, and software  app development security is supposed to be one
of the 10 domains that the test covers.

Perhaps one of the issues here is that if you are in operations work
(network security, etc.), there are more aspects of the CISSP that are
relevant to your daily work.  In software development, there is usually
just the one - app development sec - that the developer thinks about,
unless the code has inherent security functionality, in which case
access control, architecture/models, and cryptography can be important
too.

I agree that the software developer is a key part of the security
big picture.  In fact one of the reasons that firewalls have become so
popular today is because of software bugs in host OS's and services...

But software dev is unique in several ways that mean that it may be
hard for the CISSP to cover it in a balanced manner.  Teaching an IT
person about fire and lightning protection, or about routers or
firewalls, about ACL's, or even about risk management, does not have
a steep learning curve.  But learning the basics needed to really
understand even high-level concepts regarding software security 
high-assurance development practices is a much higher learning
curve endeavor, in my view, for the typical IT person.

A few questions, then -- should all developers be/become security
professionals?  Even the most innocent pet project application can
end up having worldwide security implications, given the way apps
can be rapidly popularized these days.  What qualifications should a
developer meet, to be a security professional?  Should there be
something like the Common Criteria EAL's, but somewhat less formal,
to encourage broader use in labeling projects and code, esp. in the
open-source world?

- Greg

08-Mar-2007

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Steven M. Christey

On Thu, 8 Mar 2007, Greg Beeley wrote:

 Perhaps one of the issues here is that if you are in operations work
 (network security, etc.), there are more aspects of the CISSP that are
 relevant to your daily work.  In software development, there is usually
 just the one - app development sec - that the developer thinks about,
 unless the code has inherent security functionality, in which case
 access control, architecture/models, and cryptography can be important
 too.

Secure development certification will hopefully come to the marketplace in
droves in the next year or two.  One organization is
not-so-privately-but-technically-not-yet-publicly preparing to roll
something out in the coming months, and hopefully that will inspire
others.  Insert obligatory cert disclaimer here, but geez it's badly
needed to raise the bar even a hair.

 developer meet, to be a security professional?  Should there be
 something like the Common Criteria EAL's, but somewhat less formal,
 to encourage broader use in labeling projects and code, esp. in the
 open-source world?

Dave Litchfield and I have *very* casually investigated forming a CC-like
concept of Vulnerability Assessment Assurance Levels (VAAL) which is
intended to reflect the depth of a vuln researcher's analysis as some
crude but semi-repeatable measure of assurance.  i've also done some
thinking about vulnerability complexity, and I assume I've mentioned my
vulnerability theory work on this list since I never shut up about it.
Such concepts could be turned around to reflect the depth of understanding
that a developer has - e.g. they know enough to try to strip out SCRIPT
tags but they don't know about javascript: in IMG tags.  I have a couple
pages of working notes on VAAL for offline dissemination for interested
parties who promise to give me feedback.

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___