Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Mike Lyman
On 4/12/2010 2:03 PM, Matt Parsons wrote:

 I am a CISSP with programming experience, static code analysis and web
 penetration testing.   I am thinking about taking the CSSLP.   I just
 bought the review book.   Is it worth getting this certification?   Is
 it going to raise my rates and help me get more contracts?   Is the
 GIAC better or should I pursue both or neither?   I wrote about the
 first concept of the CSSLP on my blog.   Any feedback would be greatly
 appreciated.  

 http://parsonsisconsulting.blogspot.com/



It's supposed to be on track to become a US DoD cert in 8570. If you are
in that world that will help.

Meanwhile it's part of our brag sheet as we work on getting new business
in the software assurance area among our DoD customers. We've got two of
us on our team from early in the experience assessment phase. Not sure
how much it helps sell things over and above our reputation among our
customers but we keep it out there.
-- 

Mike Lyman
mly...@west-point.org

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Gary McGraw
Hi Matt,

Way back on May 9, 2007 I wrote my thoughts about certifications like these 
down.  The article, called Certifiable was published by darkreading:

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630

You can find all of my columns written over the last six years here:  
http://www.cigital.com/~gem/writings/.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


On 4/12/10 3:03 PM, Matt Parsons mparsons1...@gmail.com wrote:

I am a CISSP with programming experience, static code analysis and web 
penetration testing.   I am thinking about taking the CSSLP.   I just bought 
the review book.   Is it worth getting this certification?   Is it going to 
raise my rates and help me get more contracts?   Is the GIAC better or should I 
pursue both or neither?   I wrote about the first concept of the CSSLP on my 
blog.   Any feedback would be greatly appreciated.
http://parsonsisconsulting.blogspot.com/

Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
Do Good and Fear No Man
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668

[cid:3354004848_806392]

[cid:3354004848_800597]








inline: image.jpginline: image.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Wall, Kevin

Gary McGraw wrote...

 Way back on May 9, 2007 I wrote my thoughts about
 certifications like these down.  The article, called
 Certifiable was published by darkreading:

 http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630

I just reread your Dark Reading post and I must say I agree with it
almost 100%. The only part where I disagree with it is where you wrote:

The multiple choice test itself is one of the problems. I
have discussed the idea of using multiple choice to
discriminate knowledgeable developers from clueless
developers (like the SANS test does) with many professors
of computer science. Not one of them thought it was possible.

I do think it is possible to separate the clueful from the clueless
using multiple choice if you cheat. Here's how you do it. You write
up your question and then list 4 or 5 INCORRECT answers and NO CORRECT
answers.

The clueless ones are the ones who just answer the question with one of
the possible choices. The clueful ones are the ones who come up and argue
with you that there is no correct answer listed. ;-)

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
kevin.w...@qwest.comPhone: 614.215.4788
It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration
- Edsger Dijkstra, How do we tell truths that matter?
  http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Wieneke, David A.
 
Having a CISSP certification I know it is more than just passing the
test.  You are not certified as a CISSP until you have another CISSP
attest to your qualifications and you submit a detail resume of your
security experience by domain to (ISC)2 auditors.  If the auditors do
not feel your experience is sufficient you don't get the certification.


I cannot discuss the test or the testing strategy [(ISC)2 CISSP NDA] but
(ISC)2 makes it known that not all the questions on the exam have the
same point value and some questions have no point value at all.

Dave

David Wieneke, CISSP, GSEC, MIT
IT Security Engineer
Security Operations
CUNA Mutual Group
1.800.356.2644 Ext. 7753
dave.wien...@cunamutual.com
 
Common Purpose. Uncommon Commitment.
 All information contained in this message is privileged, confidential
and intended for the sole use of the individual(s) named above. If you
are not the intended recipient, you are advised that any dissemination,
distribution or copying of this communication is prohibited. If you are
not the addressee or the person responsible for delivering this to the
addressee, or have received this e-mail in error, please notify us
immediately by returning the original message to the sender by e-mail
and deleting the material from any computer, and destroying printed
correspondence. 

-Original Message-
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Wall, Kevin
Sent: Wednesday, April 14, 2010 10:25 AM
To: 'Gary McGraw'; Matt Parsons; Secure Code Mailing List
Subject: Re: [SC-L] any one a CSSLP is it worth it?


Gary McGraw wrote...

 Way back on May 9, 2007 I wrote my thoughts about
 certifications like these down.  The article, called
 Certifiable was published by darkreading:


http://www.darkreading.com/security/app-security/showArticle.jhtml?artic
leID=208803630

I just reread your Dark Reading post and I must say I agree with it
almost 100%. The only part where I disagree with it is where you wrote:

The multiple choice test itself is one of the problems. I
have discussed the idea of using multiple choice to
discriminate knowledgeable developers from clueless
developers (like the SANS test does) with many professors
of computer science. Not one of them thought it was possible.

I do think it is possible to separate the clueful from the clueless
using multiple choice if you cheat. Here's how you do it. You write
up your question and then list 4 or 5 INCORRECT answers and NO CORRECT
answers.

The clueless ones are the ones who just answer the question with one of
the possible choices. The clueful ones are the ones who come up and
argue
with you that there is no correct answer listed. ;-)

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
kevin.w...@qwest.comPhone: 614.215.4788
It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration
- Edsger Dijkstra, How do we tell truths that matter?
  http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

This communication is the property of Qwest and may contain confidential
or
privileged information. Unauthorized use of this communication is
strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and
destroy
all copies of the communication and any attachments.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Paco Hope

On 14 Apr 2010, at 16:24, Wall, Kevin wrote:
 I just reread your Dark Reading post and I must say I agree with it
 almost 100%. The only part where I disagree with it is where you wrote:
 
The multiple choice test itself is one of the problems. I
have discussed the idea of using multiple choice to
discriminate knowledgeable developers from clueless
developers (like the SANS test does) with many professors
of computer science. Not one of them thought it was possible.

This is the part of the article I disagree with most, as well. Asking whether 
multiple choice exams can discriminate between clueful and clueless developers 
is a valid and important question to ask.  However, I believe few professors of 
computer science could discriminate between clueful and clueless developers if 
developer and clue have industry-relevant definitions.  What passes for 
development in an academic sense and what is required for clue in an 
academic sense are usually defined on very different axes than the axes used in 
industry.

So, I think asking college professors whether standardised tests are valid in 
this respect is posing the important question to the wrong people. There are 
notorious disconnects between what academics and industry value. Perhaps if you 
asked the folks who hire, promote, and evaluate developers, they could give a 
better opinion as to whether clue and standardised test performance correlate. 
Even then, I'd prefer to see something somewhat objective, like months between 
promotions versus certifications held, as opposed to calling a bunch of CIOs or 
VPs of Engineering and asking how well they think tests work.

Having said this, I am a CSSLP and I have helped write a ton of questions for 
the exam. I can tell you we struggle long and hard to write meaningful 
questions that actually discriminate a practitioner who has experience from a 
random, unqualified candidate. We use follow well-established psychometric 
principles when designing the questions. The whole test creation/maintenance 
process is ANSI-approved and audited. Careful statistics are kept on the 
pass/fail rates on individual questions to discard questions that do not 
discriminate well. Over time, the question bank is maintained to remove 
questions that don't test well and to write new questions that represent 
changes in the landscape. Some of you will undoubtedly dismiss this, saying 
garbage in, garbage out, regardless of how pristine the pipes are. I believe 
that's too simplistic a view.

Paco
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Dana Epp
Not sure that would work either though.

Many secdev people are introverts. In their shell, they won't debate
the validity of a position, including a wrong answer. Zone that into a
response in the exam. It's one thing to say there is no correct
answer, but the way the questions are set at ISC2, its what is the
BEST answer out of this list. By the end of the 6 hours your eyes are
glossed over as you actually had to think. But its still better than
the 1-2 hr absolute answer exams from many orgs.

I think where Gary nailed it on the head is you have to be a good
developer BEFORE you can be a good at secdev. Poorly written code can
not be trusted. It cannot be safe. The rest is moot.

I have never been one to trust a piece of paper. Education comes from
doing. Book knowledge cannot be the only weapon in a secdev's
experience portfolio. He needs war wounds. Real scars of experience.
He needs to learn from his own experience and apply that as the field
matures and grows. I see far too many people who think because they
opened Ken Van Wyk's, Michael Howard's or Gary McGraw's books that
they now get secdev. Without actually applying that knowledge
transfer. Review their code, and its far from absolute. Especially in
failure code paths. Don't get me wrong... its essential reading. But
its not enough. Doing is.

In the immortal words of Yoda... Do or do not. There is no try..

I wonder if a bigger problem is that corps are relying on these
certifications to weed out the bad apples? Does NOT having CSSLP mean
the candidate sucks at secdev? Or the reverse, can anyone who passed
the CSSLP be trusted to get it right all the time? Absolute security
is a fallacy. As is perfect code. With enough money and motive,
anything can be breached. A piece of paper won't stop that. Nor that
crappy piece of code that I didn't properly threat model 15 years ago
that is still in use today.

-- 
Regards,
Dana Epp
Microsoft Security MVP

On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin kevin.w...@qwest.com wrote:

 Gary McGraw wrote...

 Way back on May 9, 2007 I wrote my thoughts about
 certifications like these down.  The article, called
 Certifiable was published by darkreading:

 http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630

 I just reread your Dark Reading post and I must say I agree with it
 almost 100%. The only part where I disagree with it is where you wrote:

        The multiple choice test itself is one of the problems. I
        have discussed the idea of using multiple choice to
        discriminate knowledgeable developers from clueless
        developers (like the SANS test does) with many professors
        of computer science. Not one of them thought it was possible.

 I do think it is possible to separate the clueful from the clueless
 using multiple choice if you cheat. Here's how you do it. You write
 up your question and then list 4 or 5 INCORRECT answers and NO CORRECT
 answers.

 The clueless ones are the ones who just answer the question with one of
 the possible choices. The clueful ones are the ones who come up and argue
 with you that there is no correct answer listed. ;-)

 -kevin
 ---
 Kevin W. Wall           Qwest Information Technology, Inc.
 kevin.w...@qwest.com    Phone: 614.215.4788
 It is practically impossible to teach good programming to students
  that have had a prior exposure to BASIC: as potential programmers
  they are mentally mutilated beyond hope of regeneration
    - Edsger Dijkstra, How do we tell truths that matter?
      http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

 This communication is the property of Qwest and may contain confidential or
 privileged information. Unauthorized use of this communication is strictly
 prohibited and may be unlawful.  If you have received this communication
 in error, please immediately notify the sender by reply e-mail and destroy
 all copies of the communication and any attachments.

 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates

Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Wall, Kevin
Dana Epp wrote:
 Not sure that would work either though.

Dana,

My comment was meant tongue-in-cheek. Guess I used the wrong
emoticon. Figured that ';-)' would work 'cuz I never can remember
the one for tongue-in-cheek. I've seen several variations of the
latter...

:-? :-Q :-J -)

Take your pick. Good in depth analysis though. Seriously. And I
agree with you completely.

In my experience as an adjunct faculty member teaching a master's
level Computer Security course (based in part on the McGraw/Viega book
as well as Ross Anderson's _Security Engineering_) for 6 yrs, I came to the
conclusion that multiple guess (as I call them) alone only proves
how well someone memorizes something, at best, or how clueless people
are (if they get incorrect answers) at worst. I would argue that
most of academia it is unsuited for discerning cluefulness the the
real world. Over the course of 30+ yrs in IT (yes, I am an old fart!),
I've seen all too many people that exceled in academia but were miserable
disappointments in industry.  In fact, to that end, quality guru Demming
is rumored to have said about (then) ATT Bell Labs:
Bell Labs only hires the top 10% of graduatesc...and they
deserve what they get!

There is no substitute for real experience.

-kevin
---
Kevin W. Wall   Qwest Information Technology, Inc.
kevin.w...@qwest.comPhone: 614.215.4788
It is practically impossible to teach good programming to students
 that have had a prior exposure to BASIC: as potential programmers
 they are mentally mutilated beyond hope of regeneration
- Edsger Dijkstra, How do we tell truths that matter?
  http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful.  If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] any one a CSSLP is it worth it?

2010-04-13 Thread Matt Parsons
I am a CISSP with programming experience, static code analysis and web
penetration testing.   I am thinking about taking the CSSLP.   I just bought
the review book.   Is it worth getting this certification?   Is it going to
raise my rates and help me get more contracts?   Is the GIAC better or
should I pursue both or neither?   I wrote about the first concept of the
CSSLP on my blog.   Any feedback would be greatly appreciated.   

http://parsonsisconsulting.blogspot.com/

 

Thanks,
Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image005.jpgimage006.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___