funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Presidential Internet Kill Switch

From: Michael Collins <mcollins () aleae com>
Date: Wed, 23 Sep 2009 14:39:25 -0400
Eh, it's a moot point already.  DoD regulation 8570 is probably the  
inspiration for the senate order --- pretty much, if you are defense  
contracting, everyone's looking at you to have something like a  
CISSP.  So, in terms of actual dollar figures, it was a done deal 2  
years ago.

Since I was lecturing on this last night, I'll play devils advocate  
for certification, or ideal certification in this case.  We all know  
that the golden rule of cryptographic protocol creation is "don't".   
But developers love to innovate needlessly, and so we see them create  
their own crypto protocols over and over again, with exciting new  
vulnerabilities each time.  The singles.org/4chan  debacle earlier  
this year is an example of an ignorant developer reinventing the wheel  
with humiliating results.  *if* certification teaches developers the  
necessary set of skills to prevent them from making the same mistakes  
everybody does at square zero, then it has some value.  Even  
CISSP,which I will happily crap on usually, at least has the advantage  
of teaching that security isn't just in the software, and that you  
have to at least have a nodding familiarity with site security.

The major problem, from my POV, is that when we think "certification"  
as developers, we think stuff like Oracle or A+ or CNDS or stuff that  
is more for the benefit of the companies issuing the certification  
than for the client.  I think in the long run, we're going to end up  
looking more at certification in the sense that CivEs or EE's look at  
it - something like professional engineering certification.  That  
said, the design process is still radically different and there are  
liability problems that we have to address.  Given the state of most  
software right now, a PE equivalent for secure software is a "please  
shoot me" ticket.

On Sep 23, 2009, at 11:21 AM, phester wrote:




On Wed, 23 Sep 2009, Dan Kaminsky wrote:



Bottom line:  What if the only people allowed to do security work  
were CISSPs?


Or worse; What if it requires a security clearance?


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: