Firewall Wizards mailing list archives
Re: Trust validation of programmers
From: Ted Doty <ted () iss net>
Date: Fri, 26 Jun 1998 08:05:08 -0400
At 08:28 PM 6/25/98 -0400, Stout, Bill wrote:
Is there a certification authority or bonding process for hiring or contracting programmers who develop security systems? Something similar to the Department of Defense background check for the commercial market?
From what I've seen, this situation is more like the craft guilds of the
Renaissance. Apprentices and journeymen would work under the supervision of masters, who were not only responsible for the quality of the product, but for training the apprentices and journeymen as well. Not everyone who does security-related development has to have a hacking background per se - even someone who wants to write (say) exploit tests for a scanner. Someone with a decent background developing IP routing modules for bridges or routers might have a useful foundation for developing exploits for (say) routing protocols. My experience with background checks is that they're probably effective in weeding out psychos, and less effective in weeding out traitors (strong word there, perhaps we should say "Industrial Saboteurs"). It may raise the bar a bit, but it is a pretty tiny bit. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Trust validation of programmers Stout, Bill (Jun 25)
- Re: Trust validation of programmers Aleph One (Jun 26)
- <Possible follow-ups>
- Re: Trust validation of programmers Ted Doty (Jun 26)
- Re: Trust validation of programmers tqbf (Jun 28)
- Re: Trust validation of programmers Rick Smith (Jun 30)