Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Notes from CISSP class with Dr. Eric Cole

From: Saqib Ali <docbook.xml () gmail com>
Date: Wed, 2 Nov 2005 08:02:37 -0800
Hello All,

I have finally got around posting all my CISSP class notes online at :
http://www.xml-dev.com/blog/?action=viewtopic&id=150

Please review for accuracy and let me know of any mistake.

Thanks
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.


On 10/12/05, kgp () nethere com <kgp () nethere com> wrote:

I'm glad this was stated.

I was going to say something similar but Saqib said it more eloquently.
I will reinforce the statement.
An SSCP should be able to perform some technical skills (this hasn't caught
on however). A CISSP is a managerial qualification. Lee Iacocca better know
damn well how to manage car manufacturing, risks, architecture, and
appropriate laws. But it would be a mistake to think he could go operate
the machinery. I'd even go so far as to say he may know a great deal about
the machinery (mean time to failure, load capacities, etc) but he wouldn't
know what knobs to turn or buttons to push.

Nothing in the CISSP focuses on anything very technical. Why would we expect
a CISSP to do things we didn't test them on?

Kevin

Quoting Saqib Ali <docbook.xml () gmail com>:


The second case involved a pentest where a CISSP had conducted a

project

for a web portal.  The CISSP told the customer the portal was secure,
but the customer had concerns about the quality of the work perform.
Again I was called in to check the other CISSP's work and I was able to
gain root access in 6 hours.  That customer now checks the background
and even tests CISSP before they are allowed to do any work.


It is not the job of a CISSP to tell if a application is secure (hack
proof) or not. It is like asking a District Attorney to perform Police
Detective work. It doesn't work like that. You need a different
skillset to perform detective work.
--
In Peace,
Saqib Ali
http://www.xml-dev.com/blog/
Consensus is good, but informed dictatorship is better.
Previous By Date Next
Previous By Thread Next

Current thread: