RE: Question on Certification (SSCP or GSEC)

["Hung Lee" <hlee () theknot com>]

As a Developer, your best bet is ISC2's Certified Secure Software Lifecycle Professional 
(https://www.isc2.org/csslp/default.aspx).   This cert was made specifically for folks with Development backgrounds.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mark Brunner
Sent: Thursday, April 07, 2011 6:37 PM
To: 'Mr Horse'
Cc: security-basics () securityfocus com
Subject: RE: Question on Certification (SSCP or GSEC)

I have had the pleasure of certifying first years ago at the SSCP level, and currently hold the CISSP certificate as 
well.  The SSCP designation is definitely less understood, but really is an examination of depth of knowledge versus 
breadth of knowledge for the CISSP in my opinion.  There is some subject matter overlap, however the context is the 
differentiator.
Both will test your metal, and present you with 250 multiple guess questions come exam time.

The SSCP exam expects knowledge in 7 domains, focusing on technical
knowledge:
- Access Controls
- Security Operations and Administration
- Analysis and Monitoring
- Risk, Response, and Recovery
- Cryptography
- Networks and Telecommunications
- Malicious Code

I had a lot of questions regarding protocols, the OSI model, networking and communication, and routing.

The CISSP exam covers 10 domains, focusing more on tactical and strategic security management:
 - Access Control
 - Application Security
 - Business Continuity & Disaster Recovery
 - Information Security & Risk Management
 - Operations Security
 - Physical Security
 - Security Architecture and Design
 - Telecom and Network Security
 - Regulations, Compliance
 - Incident Response & Investigation

Much more focus on my exam on the methodologies, planning and management considerations of security.

In discussions with GSEC certified colleagues they liken the content and context to that of the CISSP.  There are other 
certifications that might be more useful to you as a developer, such as secure coder http://www.sans.org/gssp/, 
certified ethical hacker http://www.eccouncil.org/, etc.  They may not be as widely marketable, but consider your 
intentions.  Looking for professional improvements or another job?

Just my opinion, your milage may vary.

Mark Brunner
Information Security Manager & IT Consultant Greater Toronto Area, Ontario Canada


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Eggleston, Mark
Sent: Thursday, April 07, 2011 3:30 PM
To: Mr Horse; security-basics () securityfocus com
Subject: RE: Question on Certification (SSCP or GSEC)

Mr. Horse,

GSEC is open book and more technical; CISSP is not open book and is more
managerial.  If your long-term goal is to get a CISSP you might be better
off getting the GSEC in the interim because: (1) it is from a different
accrediting body (SANS) and shows you have diverse credentials if you later
get a credential from ISC and (2) I would think it is more recognized and
sought after compared to the SSCP (which is a stepping stone to the CISSP
anyhow).

Of course, I might be biased though.  Hope this helps.

Regards,

Mark Eggleston, CISSP, GSEC, CHPS
Manager, Security and Business Continuity 



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Mr Horse
Sent: Wednesday, April 06, 2011 5:11 AM
To: security-basics () securityfocus com
Subject: Question on Certification (SSCP or GSEC)

I'm a software developer with about 6 years experience, and act as the lead
for application and some network security issues at my current employer.

My manager wants me to a certification, and ideally I would go with the
CISSP but I don't have 4 years employment experience in the information
security field.

As far as I can tell, my options are the GIAC GSEC and the ISC SSCP.
As far as I can tell, the GSEC requires a similar level of knowledge to the
CISSP, but does not have the experience requirement. The SSCP seems to have
limited recognition.

We will some IT security positions opening up down the line, and I am hoping
to apply for one of these in the future. Can anyone suggest what might be
the better certification for me to hold?

Thanks

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate In this guide we
examine the importance of Apache-SSL and who needs an SSL certificate.  We
look at how SSL works, how it benefits your company and how your customers
can tell if a site is secure. You will find out how to test, purchase,
install and use a thawte Digital Certificate on your Apache web server.
Throughout, best practices for set-up are highlighted to help you ensure
efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------

This message, together with any attachments, is intended only for
the use of the individual or entity to which it is addressed. It
may contain information that is confidential and prohibited from
disclosure. If you are not the intended recipient, you are hereby
notified that any dissemination or copying of this message or any
attachment is strictly prohibited. If you have received this
message in error, please notify the original sender immediately by
telephone or by return e-mail and delete this message along with
any attachments, from your computer.

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727
d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------