What defines an InfoSec Professional?

[coley at linus.mitre.org (Steven M. Christey)]

On Thu, 8 Mar 2007, Greg Beeley wrote:

> Perhaps one of the issues here is that if you are in operations work
> (network security, etc.), there are more aspects of the CISSP that are
> relevant to your daily work.  In software development, there is usually
> just the one - app development sec - that the developer thinks about,
> unless the code has inherent security functionality, in which case
> access control, architecture/models, and cryptography can be important
> too.

Secure development certification will hopefully come to the marketplace in
droves in the next year or two.  One organization is
not-so-privately-but-technically-not-yet-publicly preparing to roll
something out in the coming months, and hopefully that will inspire
others.  Insert obligatory cert disclaimer here, but geez it's badly
needed to raise the bar even a hair.

> developer meet, to be a "security professional"?  Should there be
> something like the Common Criteria EAL's, but somewhat less formal,
> to encourage broader use in labeling projects and code, esp. in the
> open-source world?

Dave Litchfield and I have *very* casually investigated forming a CC-like
concept of Vulnerability Assessment Assurance Levels (VAAL) which is
intended to reflect the depth of a vuln researcher's analysis as some
crude but semi-repeatable measure of assurance.  i've also done some
thinking about vulnerability complexity, and I assume I've mentioned my
vulnerability theory work on this list since I never shut up about it.
Such concepts could be turned around to reflect the depth of understanding
that a developer has - e.g. they know enough to try to strip out <SCRIPT>
tags but they don't know about javascript: in IMG tags.  I have a couple
pages of working notes on VAAL for offline dissemination for interested
parties who promise to give me feedback.

- Steve