Full Disclosure mailing list archives
RE: credibility (was 'more security people')
From: "Steven Alexander" <alexander.s () mccd edu>
Date: Wed, 4 Feb 2004 14:51:44 -0800
WTF makes people think that passing a single test qualifies someone as an expert in anything? People need to realize that while tests/certifications are not worthless, they should only complement other qualifications. Tests are used in other professional fields: lawyers have to pass the bar exam in the state where they intend to practice law, accountants have to pass the CPA exam. However, you can't take the bar exam without a law degree or the CPA exam without taking a specified number of accounting classes. Knowing a lot of random facts about security simply isn't enough. It's nice that everybody and their mom knows what a buffer overflow is nowadays but it doesn't enable them to evaluate StackGuard, ProPolice, PaX, W^X, etc. Knowing what an intrusion detection system is doesn't mean that you have tcpdump skills. Expertise is based on knowledge that has both breadth and depth. Security people need to know a lot about a lot of things: one of the most important books that I've read WRT to security is Richard Steven's TCP/IP Illustrated Vol. 1 and it doesn't directly deal with security. But, without an in-depth understanding of TCP/IP, how formidable can one's knowledge of security (especially firewalls and intrusion detection systems) be? Also, it's important to be able to think outside the box. Bruce Schneier has argued for years that good cryptosystems are designed by people who are good cryptanalysts. It makes sense to me; why should I trust the ciphers that you design if you don't understand what was wrong with the old ones? Likewise, why should I trust in the security of a network/system "secured" by some random CISSP when they don't know anything about breaking into systems. I don't think that every security expert has to be a reformed {cr|h}acker. I do think however, that anyone who dares call themselves a security expert should understand how systems are broken into. If you don't know what attackers are doing, how the hell do you know what to protect against? There should be a hands-on challenge to any security certification requirements. Perhaps something like: "Find and infiltrate the PaX protected system on network X. You must write your own exploit to gain root through ssh using return-into-libc. Remove all traces of your intrusion from the logs (they're append only). Don't alert the Snort box." I don't have a CISSP btw so I'm biased. My $.02 -steven
-----Original Message----- From: Gregory A. Gilliss [mailto:ggilliss () netpublishing com] Sent: Wednesday, February 04, 2004 10:47 AM To: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] credibility (was 'more security people')
<snip>
BTW, to be clear I am *not* saying that certifications are
bad/worthless.
I am saying that they are weak, ineffectual, and not nearly enough to qualify someone to market themselves as a "security expert". From the perspective of weeding out the phonys, I'm all in favor of
certifications.
<snip>
In summary, the industry deserves what it gets, which is a large number of untalented posers who couldn't root a Linux 5.0 box running wu-ftp =;^)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: credibility (was 'more security people') Steven Alexander (Feb 04)
- Re: credibility (was 'more security people') Jeremiah Cornelius (Feb 04)
- Re: credibility (was 'more security people') InCisT (Feb 04)