Re: Trust validation of programmers

[Ted Doty <ted () iss net>]

At 08:28 PM 6/25/98 -0400, Stout, Bill wrote:
> Is there a certification authority or bonding process for hiring or
> contracting programmers who develop security systems?  Something similar
> to the Department of Defense background check for the commercial market?

> From what I've seen, this situation is more like the craft guilds of the
Renaissance.  Apprentices and journeymen would work under the supervision
of masters, who were not only responsible for the quality of the product,
but for training the apprentices and journeymen as well.

Not everyone who does security-related development has to have a hacking
background per se - even someone who wants to write (say) exploit tests for
a scanner.  Someone with a decent background developing IP routing modules
for bridges or routers might have a useful foundation for developing
exploits for (say) routing protocols.

My experience with background checks is that they're probably effective in
weeding out psychos, and less effective in weeding out traitors (strong
word there, perhaps we should say "Industrial Saboteurs").  It may raise
the bar a bit, but it is a pretty tiny bit.

- Ted

-----------------------------------------------------------------------
Ted Doty, Internet Security Systems          | Phone: +1 678 443-6000
6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax:   +1 678 443-6479
Atlanta, GA 30328  USA                       | Web: http://www.iss.net
-----------------------------------------------------------------------
PGP key fingerprint: 362A EAC7 9E08 1689  FD0F E625 D525 E1BE