[SC-L] more relevant certifications

2009-03-20 Thread SC-L Reader Dave Aronson
Paco Hope p...@cigital.com wrote:

 just as overly-simplistic as
 someone who disparages all credentials equally.

On that note... my company (BAE Systems) has been pushing for people
to become CISSPs, because in turn the main client (US gov) has been
pushing for contractors to have a bunch of CISSPs on the projects.
But, it seems as though that cert is very heavily loaded down with
things that front-line grunts like me will NEVER use.  I doubt I'll
ever get to decide where a data center is located, let alone the
entire building, nor what kind of fire detection/suppression or
physical security systems it has, and I can probably forget about
dictating HR policy as well.

So, I was considering other certs, that seem much more relevant.  The
main relevant one I've heard of is the GSSP (GIAC Secure Software
Programmer).

1) What do y'all think of that one?

2) It looked to me as though, other than perhaps from buying books,
there is one and only one GSSP practice exam, and it can be taken only
once.  Am I wrong?  Do you know of any others available for free,
preferably to be taken online?

3) Have you heard of any other certs relevant for those of us who
mainly design and implement computer-based systems, which will usually
undergo security scrutiny, and usually have little to no say about all
the other stuff around it?  (Preferably not technology-specific, as
opposed to for example a Secure Java or Secure Web-Apps cert.)
Compare and contrast, as the teachers would say

Thanks,
Dave

-- 
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net | \/ Ribbon
Specialization is for insects.| Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] more relevant certifications

2009-03-20 Thread Goertzel, Karen [USA]
I would refer you to Section 7.2.2.2, Professional Certifications, starting on 
page 272 of Software Security Assurance: A State-of-the-Art Report which can 
be downloaded from: http://iac.dtic.mil/iatac/download/security.pdf

The report was published in July 2007; there may be additional certifications 
that have become available since then.

--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com




-Original Message-
From: sc-l-boun...@securecoding.org on behalf of SC-L Reader Dave Aronson
Sent: Fri 20-Mar-09 09:59
To: Secure Coding
Subject: [SC-L] more relevant certifications
 
Paco Hope p...@cigital.com wrote:

 just as overly-simplistic as
 someone who disparages all credentials equally.

On that note... my company (BAE Systems) has been pushing for people
to become CISSPs, because in turn the main client (US gov) has been
pushing for contractors to have a bunch of CISSPs on the projects.
But, it seems as though that cert is very heavily loaded down with
things that front-line grunts like me will NEVER use.  I doubt I'll
ever get to decide where a data center is located, let alone the
entire building, nor what kind of fire detection/suppression or
physical security systems it has, and I can probably forget about
dictating HR policy as well.

So, I was considering other certs, that seem much more relevant.  The
main relevant one I've heard of is the GSSP (GIAC Secure Software
Programmer).

1) What do y'all think of that one?

2) It looked to me as though, other than perhaps from buying books,
there is one and only one GSSP practice exam, and it can be taken only
once.  Am I wrong?  Do you know of any others available for free,
preferably to be taken online?

3) Have you heard of any other certs relevant for those of us who
mainly design and implement computer-based systems, which will usually
undergo security scrutiny, and usually have little to no say about all
the other stuff around it?  (Preferably not technology-specific, as
opposed to for example a Secure Java or Secure Web-Apps cert.)
Compare and contrast, as the teachers would say

Thanks,
Dave

-- 
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net | \/ Ribbon
Specialization is for insects.| Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___