[SC-L] SC-L] What defines an InfoSec Professional?

2007-03-11 Thread Jason Grembi
I'm not a CISSP person just because my clients haven't required it yet. However, they are concerned with application security and restricting access to those who are not authorized (in addition to XSS, SQL injection, and the usual list of suspects). I call myself a 'secure developer' only

Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread Michael S Hines
I respectfully disagree. The need for a firewall or IDS is due to the poor coding of the receptor of network traffic - so you have to prevent bad things from reaching the receptor (which is the TCP/IP stack and then the host operating system - and then the middleware and then the application).

Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread Benjamin Tomhave
I'm gonna have to go ahead and disagree with you, there, Michael. You're looking at things far too narrowly. And here's a very simple example: Small business. Single DMZ. Hosts DB and Web App on separate platforms. Web app needs to make back-end calls to DB. There's no reason whatsoever why

Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread SC-L Subscriber Dave Aronson
[EMAIL PROTECTED] writes: certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Perhaps what is needed is a separate certification.

[SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
If you have two individuals, one of which has been practicing secure coding practices and encouraging others to do so for years while another individual was involved with firewalls, intrusion detection, information security policies and so on, are they both information security professionals or

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
/thinking_about_.html -gp -Original Message- From: McGovern, James F (HTSC, IT) [EMAIL PROTECTED] Date: Thursday, Mar 8, 2007 10:27 am Subject: [SC-L] What defines an InfoSec Professional? If you have two individuals, one of which has been practicing secure coding= practices and encouraging others

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Shea, Brian A
: Thursday, March 08, 2007 9:13 AM To: [EMAIL PROTECTED] Cc: SC-L@securecoding.org Subject: Re: [SC-L] What defines an InfoSec Professional? actually just the former. Robert Garigue characterized firewalls, nids, et al as good network hygiene. The equivalent of a dentist telling you to brush your

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread McGovern, James F (HTSC, IT)
A [mailto:[EMAIL PROTECTED] Sent: Thursday, March 08, 2007 2:07 PM To: Gunnar Peterson; McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] What defines an InfoSec Professional? The right answer is both IMO. You need the thinkers, integrators, and operators to do it right

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Michael Silk
PM To: Gunnar Peterson; McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] What defines an InfoSec Professional? The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
: Thursday, March 08, 2007 9:13 AM To: [EMAIL PROTECTED] Cc: SC-L@securecoding.org Subject: Re: [SC-L] What defines an InfoSec Professional? actually just the former. Robert Garigue characterized firewalls, nids, et al as good network hygiene. The equivalent of a dentist telling you to brush

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Greg Beeley
[...] I do suspect that some of it is tied to the romance of certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. [...] That's

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Steven M. Christey
On Thu, 8 Mar 2007, Greg Beeley wrote: Perhaps one of the issues here is that if you are in operations work (network security, etc.), there are more aspects of the CISSP that are relevant to your daily work. In software development, there is usually just the one - app development sec - that