Secure Coding mailing list archives
What defines an InfoSec Professional?
From: coley at linus.mitre.org (Steven M. Christey)
Date: Thu, 8 Mar 2007 21:57:53 -0500 (EST)
On Thu, 8 Mar 2007, Greg Beeley wrote:
Perhaps one of the issues here is that if you are in operations work (network security, etc.), there are more aspects of the CISSP that are relevant to your daily work. In software development, there is usually just the one - app development sec - that the developer thinks about, unless the code has inherent security functionality, in which case access control, architecture/models, and cryptography can be important too.
Secure development certification will hopefully come to the marketplace in droves in the next year or two. One organization is not-so-privately-but-technically-not-yet-publicly preparing to roll something out in the coming months, and hopefully that will inspire others. Insert obligatory cert disclaimer here, but geez it's badly needed to raise the bar even a hair.
developer meet, to be a "security professional"? Should there be something like the Common Criteria EAL's, but somewhat less formal, to encourage broader use in labeling projects and code, esp. in the open-source world?
Dave Litchfield and I have *very* casually investigated forming a CC-like concept of Vulnerability Assessment Assurance Levels (VAAL) which is intended to reflect the depth of a vuln researcher's analysis as some crude but semi-repeatable measure of assurance. i've also done some thinking about vulnerability complexity, and I assume I've mentioned my vulnerability theory work on this list since I never shut up about it. Such concepts could be turned around to reflect the depth of understanding that a developer has - e.g. they know enough to try to strip out <SCRIPT> tags but they don't know about javascript: in IMG tags. I have a couple pages of working notes on VAAL for offline dissemination for interested parties who promise to give me feedback. - Steve
Current thread:
- What defines an InfoSec Professional? Gunnar Peterson (Mar 08)
- What defines an InfoSec Professional? Shea, Brian A (Mar 08)
- What defines an InfoSec Professional? McGovern, James F (HTSC, IT) (Mar 08)
- What defines an InfoSec Professional? Michael Silk (Mar 08)
- What defines an InfoSec Professional? Greg Beeley (Mar 08)
- What defines an InfoSec Professional? Steven M. Christey (Mar 08)
- What defines an InfoSec Professional? McGovern, James F (HTSC, IT) (Mar 08)
- What defines an InfoSec Professional? Gunnar Peterson (Mar 08)
- What defines an InfoSec Professional? Michael S Hines (Mar 09)
- What defines an InfoSec Professional? Benjamin Tomhave (Mar 09)
- What defines an InfoSec Professional? Shea, Brian A (Mar 08)
- <Possible follow-ups>
- What defines an InfoSec Professional? SC-L Subscriber Dave Aronson (Mar 09)