I'm not a CISSP person just because my clients haven't required it
yet. However,
they are concerned with application security and restricting access to those
who are not authorized (in addition to XSS, SQL injection, and the usual
list of suspects). I call myself a 'secure developer' only becaus
[EMAIL PROTECTED] writes:
> certifications such as CISSP whereby the exams that
> prove you are a security professional talk all about
> physical security and network security but really don't
> address software development in any meaningful way.
Perhaps what is needed is a separate certification
I'm gonna have to go ahead and disagree with you, there, Michael. You're
looking at things far too narrowly. And here's a very simple example:
Small business. Single DMZ. Hosts DB and Web App on separate platforms.
Web app needs to make back-end calls to DB. There's no reason whatsoever
why
I respectfully disagree.
The need for a firewall or IDS is due to the poor coding of the receptor of
network traffic - so you have to prevent bad things from reaching the
receptor (which is the TCP/IP stack and then the host operating system - and
then the middleware and then the application).
Th
On Thu, 8 Mar 2007, Greg Beeley wrote:
> Perhaps one of the issues here is that if you are in operations work
> (network security, etc.), there are more aspects of the CISSP that are
> relevant to your daily work. In software development, there is usually
> just the one - app development sec - t
> [...] I do suspect that some of it is tied to the romance of
> certifications such as CISSP whereby the exams that prove you are a
> security professional talk all about physical security and network
> security but really don't address software development in any meaningful
> way. [...]
Tha
-Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson
> Sent: Thursday, March 08, 2007 9:13 AM
> To: [EMAIL PROTECTED]
> Cc: SC-L@securecoding.org
> Subject: Re: [SC-L] What defines an InfoSec Professional?
>
> actually
MAIL PROTECTED]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] What defines an InfoSec Professional?
The right answer is both IMO. You need the thinkers, integrators, and
operators to do it right. The term S
a, Brian A [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 08, 2007 2:07 PM
To: Gunnar Peterson; McGovern, James F (HTSC, IT)
Cc: SC-L@securecoding.org
Subject: RE: [SC-L] What defines an InfoSec Professional?
The right answer is both IMO. You need the thinkers, integrators, and
operators to d
erson
Sent: Thursday, March 08, 2007 9:13 AM
To: [EMAIL PROTECTED]
Cc: SC-L@securecoding.org
Subject: Re: [SC-L] What defines an InfoSec Professional?
actually just the former. Robert Garigue characterized firewalls, nids,
et al as good network hygiene. The equivalent of a dentist telling you
to
/thinking_about_.html
-gp
-Original Message-
From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]>
Date: Thursday, Mar 8, 2007 10:27 am
Subject: [SC-L] What defines an InfoSec Professional?
If you have two individuals, one of which has been practicing secure coding=
practices
If you have two individuals, one of which has been practicing secure coding
practices and encouraging others to do so for years while another individual
was involved with firewalls, intrusion detection, information security policies
and so on, are they both information security professionals or
12 matches
Mail list logo