Re: [SC-L] any one a CSSLP is it worth it?
Dana Epp wrote: > Not sure that would work either though. Dana, My comment was meant tongue-in-cheek. Guess I used the wrong emoticon. Figured that ';-)' would work 'cuz I never can remember the one for "tongue-in-cheek". I've seen several variations of the latter... :-? :-Q :-J -) Take your pick. Good in depth analysis though. Seriously. And I agree with you completely. In my experience as an adjunct faculty member teaching a master's level Computer Security course (based in part on the McGraw/Viega book as well as Ross Anderson's _Security Engineering_) for 6 yrs, I came to the conclusion that multiple guess (as I call them) alone only proves how well someone memorizes something, at best, or how clueless people are (if they get incorrect answers) at worst. I would argue that most of academia it is unsuited for discerning cluefulness the the real world. Over the course of 30+ yrs in IT (yes, I am an old fart!), I've seen all too many people that exceled in academia but were miserable disappointments in industry. In fact, to that end, quality guru Demming is rumored to have said about (then) AT&T Bell Labs: "Bell Labs only hires the top 10% of graduatesc...and they deserve what they get!" There is no substitute for real experience. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Not sure that would work either though. Many secdev people are introverts. In their shell, they won't debate the validity of a position, including a wrong answer. Zone that into a response in the exam. It's one thing to say "there is no correct answer", but the way the questions are set at ISC2, its "what is the BEST answer out of this list". By the end of the 6 hours your eyes are glossed over as you actually had to think. But its still better than the 1-2 hr absolute answer exams from many orgs. I think where Gary nailed it on the head is you have to be a good developer BEFORE you can be a good at secdev. Poorly written code can not be trusted. It cannot be safe. The rest is moot. I have never been one to trust a piece of paper. Education comes from doing. Book knowledge cannot be the only weapon in a secdev's experience portfolio. He needs war wounds. Real scars of experience. He needs to learn from his own experience and apply that as the field matures and grows. I see far too many people who think because they opened Ken Van Wyk's, Michael Howard's or Gary McGraw's books that they now get secdev. Without actually applying that knowledge transfer. Review their code, and its far from absolute. Especially in failure code paths. Don't get me wrong... its essential reading. But its not enough. Doing is. In the immortal words of Yoda... "Do or do not. There is no try.". I wonder if a bigger problem is that corps are relying on these certifications to weed out the bad apples? Does NOT having CSSLP mean the candidate sucks at secdev? Or the reverse, can anyone who passed the CSSLP be trusted to get it right all the time? Absolute security is a fallacy. As is perfect code. With enough money and motive, anything can be breached. A piece of paper won't stop that. Nor that crappy piece of code that I didn't properly threat model 15 years ago that is still in use today. -- Regards, Dana Epp Microsoft Security MVP On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin wrote: > > Gary McGraw wrote... > >> Way back on May 9, 2007 I wrote my thoughts about >> certifications like these down. The article, called >> "Certifiable" was published by darkreading: >> >> http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 > > I just reread your Dark Reading post and I must say I agree with it > almost 100%. The only part where I disagree with it is where you wrote: > > The multiple choice test itself is one of the problems. I > have discussed the idea of using multiple choice to > discriminate knowledgeable developers from clueless > developers (like the SANS test does) with many professors > of computer science. Not one of them thought it was possible. > > I do think it is possible to separate the clueful from the clueless > using multiple choice if you "cheat". Here's how you do it. You write > up your question and then list 4 or 5 INCORRECT answers and NO CORRECT > answers. > > The clueless ones are the ones who just answer the question with one of > the possible choices. The clueful ones are the ones who come up and argue > with you that there is no correct answer listed. ;-) > > -kevin > --- > Kevin W. Wall Qwest Information Technology, Inc. > kevin.w...@qwest.com Phone: 614.215.4788 > "It is practically impossible to teach good programming to students > that have had a prior exposure to BASIC: as potential programmers > they are mentally mutilated beyond hope of regeneration" > - Edsger Dijkstra, How do we tell truths that matter? > http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html > > This communication is the property of Qwest and may contain confidential or > privileged information. Unauthorized use of this communication is strictly > prohibited and may be unlawful. If you have received this communication > in error, please immediately notify the sender by reply e-mail and destroy > all copies of the communication and any attachments. > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.co
Re: [SC-L] any one a CSSLP is it worth it?
On 14 Apr 2010, at 16:24, Wall, Kevin wrote: > I just reread your Dark Reading post and I must say I agree with it > almost 100%. The only part where I disagree with it is where you wrote: > >The multiple choice test itself is one of the problems. I >have discussed the idea of using multiple choice to >discriminate knowledgeable developers from clueless >developers (like the SANS test does) with many professors >of computer science. Not one of them thought it was possible. This is the part of the article I disagree with most, as well. Asking whether multiple choice exams can discriminate between clueful and clueless developers is a valid and important question to ask. However, I believe few professors of computer science could discriminate between clueful and clueless developers if "developer" and "clue" have industry-relevant definitions. What passes for "development" in an academic sense and what is required for "clue" in an academic sense are usually defined on very different axes than the axes used in industry. So, I think asking college professors whether standardised tests are valid in this respect is posing the important question to the wrong people. There are notorious disconnects between what academics and industry value. Perhaps if you asked the folks who hire, promote, and evaluate developers, they could give a better opinion as to whether clue and standardised test performance correlate. Even then, I'd prefer to see something somewhat objective, like months between promotions versus certifications held, as opposed to calling a bunch of CIOs or VPs of Engineering and asking how well they think tests work. Having said this, I am a CSSLP and I have helped write a ton of questions for the exam. I can tell you we struggle long and hard to write meaningful questions that actually discriminate a practitioner who has experience from a random, unqualified candidate. We use follow well-established psychometric principles when designing the questions. The whole test creation/maintenance process is ANSI-approved and audited. Careful statistics are kept on the pass/fail rates on individual questions to discard questions that do not discriminate well. Over time, the question bank is maintained to remove questions that don't test well and to write new questions that represent changes in the landscape. Some of you will undoubtedly dismiss this, saying "garbage in, garbage out, regardless of how pristine the pipes are." I believe that's too simplistic a view. Paco ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Having a CISSP certification I know it is more than just passing the test. You are not certified as a CISSP until you have another CISSP attest to your qualifications and you submit a detail resume of your security experience by domain to (ISC)2 auditors. If the auditors do not feel your experience is sufficient you don't get the certification. I cannot discuss the test or the testing strategy [(ISC)2 CISSP NDA] but (ISC)2 makes it known that not all the questions on the exam have the same point value and some questions have no point value at all. Dave David Wieneke, CISSP, GSEC, MIT IT Security Engineer Security Operations CUNA Mutual Group 1.800.356.2644 Ext. 7753 dave.wien...@cunamutual.com Common Purpose. Uncommon Commitment. All information contained in this message is privileged, confidential and intended for the sole use of the individual(s) named above. If you are not the intended recipient, you are advised that any dissemination, distribution or copying of this communication is prohibited. If you are not the addressee or the person responsible for delivering this to the addressee, or have received this e-mail in error, please notify us immediately by returning the original message to the sender by e-mail and deleting the material from any computer, and destroying printed correspondence. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Wall, Kevin Sent: Wednesday, April 14, 2010 10:25 AM To: 'Gary McGraw'; Matt Parsons; Secure Code Mailing List Subject: Re: [SC-L] any one a CSSLP is it worth it? Gary McGraw wrote... > Way back on May 9, 2007 I wrote my thoughts about > certifications like these down. The article, called > "Certifiable" was published by darkreading: > > http://www.darkreading.com/security/app-security/showArticle.jhtml?artic leID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you "cheat". Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Gary McGraw wrote... > Way back on May 9, 2007 I wrote my thoughts about > certifications like these down. The article, called > "Certifiable" was published by darkreading: > > http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you "cheat". Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Hi Matt, Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called "Certifiable" was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 You can find all of my columns written over the last six years here: http://www.cigital.com/~gem/writings/. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 4/12/10 3:03 PM, "Matt Parsons" wrote: I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP. I just bought the review book. Is it worth getting this certification? Is it going to raise my rates and help me get more contracts? Is the GIAC better or should I pursue both or neither? I wrote about the first concept of the CSSLP on my blog. Any feedback would be greatly appreciated. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:3354004848_806392] [cid:3354004848_800597] <><>___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
On 4/12/2010 2:03 PM, Matt Parsons wrote: > > I am a CISSP with programming experience, static code analysis and web > penetration testing. I am thinking about taking the CSSLP. I just > bought the review book. Is it worth getting this certification? Is > it going to raise my rates and help me get more contracts? Is the > GIAC better or should I pursue both or neither? I wrote about the > first concept of the CSSLP on my blog. Any feedback would be greatly > appreciated. > > http://parsonsisconsulting.blogspot.com/ > > It's supposed to be on track to become a US DoD cert in 8570. If you are in that world that will help. Meanwhile it's part of our brag sheet as we work on getting new business in the software assurance area among our DoD customers. We've got two of us on our team from early in the experience assessment phase. Not sure how much it helps sell things over and above our reputation among our customers but we keep it out there. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] any one a CSSLP is it worth it?
I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP. I just bought the review book. Is it worth getting this certification? Is it going to raise my rates and help me get more contracts? Is the GIAC better or should I pursue both or neither? I wrote about the first concept of the CSSLP on my blog. Any feedback would be greatly appreciated. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled <><>___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___