Hopefully lots of the consultants on this list have been wildly successful in
getting Fortune enterprises to embrace secure coding practices. I am curious to
learn of those who have also been successful in getting these same Fortune
enterprises to incorporate the notion of secure coding
If you have two individuals, one of which has been practicing secure coding
practices and encouraging others to do so for years while another individual
was involved with firewalls, intrusion detection, information security policies
and so on, are they both information security professionals or
actually just the former. Robert Garigue characterized firewalls, nids, et al
as good network hygiene. The equivalent of a dentist telling you to brush your
teeth. An infosec pro needs much more depth than that. The model is charlemagne
The right answer is both IMO. You need the thinkers, integrators, and
operators to do it right. The term Security Professional at its basic
level simply denotes someone who works to make things secure.
You can't be secure with only application security any more than you can
be secure with only
Traditionally InfoSec folks defined themselves as being knowledgable in
firewalls, policies, etc. Lately, many enterprises are starting to recognize
the importance of security within the software development lifecycle where even
some have acknowledged that software is a common problem space for
On 3/9/07, McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
wrote:
Traditionally InfoSec folks defined themselves as being knowledgable in
firewalls, policies, etc. Lately, many enterprises are starting to recognize
the importance of security within the software development lifecycle where
even
What Garigue was trying to say is that deploying a firewall on a network is
not security's mandate; it is _part of_ running a network. Basic hygiene.
Brushing your teeth is part of having teeth. Deploying anti-virus on a
windows desktop is not security; it is _part of_ operating a desktop. This
is
On Thu, 8 Mar 2007, Greg Beeley wrote:
Perhaps one of the issues here is that if you are in operations work
(network security, etc.), there are more aspects of the CISSP that are
relevant to your daily work. In software development, there is usually
just the one - app development sec - that