Penetration Testing mailing list archives
RE: Mile2 Training (Certifications)
From: "Ken Kousky" <kkousky () ip3inc com>
Date: Tue, 17 Jul 2007 08:54:32 -0400
Pete, great comments. I'm working with universities across the country and I think the faculty buy into this idea. The best programs are trying to find experiential learning opportunities. The academics know that even at the masters level, there's a huge gap between theory and practice. At the same time, the basic understanding of vulnerabilities such as buffer overflows are not adequately addressed on the academic or the pragmatic side. Buffer overflows make virtually all of our systems untrustworthy and most IT management still don't understand this basic issue. On the issue of certification - if we test for the right knowledge-base, like how does 802.1x authenticate, how are digital certificates safeguarded on typical pc's or how do buffer overflows work and then use this knowledge for better pen-testing, we would have a safer world. How do we engage new members of the profession and of these forums to help take up the cause of education? I get tired of reading of the security failures - we need to promote and showcase the successes, which are always based on strong human competencies. The trade journals need to sell protective technologies, so they amplify the failures - which we all know are rampant. But the good guys do win, most of the time, so maybe by profiling the good guys who are winning, we'll draw more attention to how they got to where they are, how they trained, how they stay current, etc. You were actually starting down this road in your posting. In any case, I offer my strongest support for your efforts. We just need a lot more focus on human capital in the security space! KWK -----Original Message----- From: Pete Herzog [mailto:lists () isecom org] Sent: Monday, July 16, 2007 2:46 PM To: Ken Kousky Cc: 'Clement Dupuis'; ppsih () hol gr; 'Serge Vondandamo'; pen-test () securityfocus com Subject: Re: Mile2 Training (Certifications) Hi Ken, Unfortunately, skills-based certification is the closest thing that exists to what is really required, decent apprenticeships. While "virtual" apprenticeships happen through hacker groups and to some regards in certain on-line training venues, that doesn't come close to giving the well-rounded skills a professional security tester needs in the modern workplace. I was lucky enough to have a great mentor during my time at IBM and what Peter Klee didn't teach me about just knowing how to be a "smart security consultant" as he called it could fit in a thimble. For a year that guy dragged me to analyst meetings and customer meetings and presentations and internal department meetings where I just sat there with my mouth shut and learned how security professionals handle themselves. That doesn't happen these days. Kids leave college with a few infosec courses under their belt and they become security professionals already assessing other people's business. There's no substitute for proper apprenticeship. But since that won't happen much anymore we need to find other ways to prove ourselves. We do that by showing it to an independent 3rd party to rate our ability to apply knowledge and skills to realistic problems in a timely manner. And that's what ISECOM is doing. It's the closest thing you can get to proving experience and ability like in an apprenticeship. This whole thing about work experience voucher and all that is a sham that more and more people get around. That doesn't mean anything! We all work with people who share the same job title but not the same work ethic or skills. Yet after 2 years they are the same level as you according to these business experience certification requirements. It's so hokey that I even have to use the word "hokey" and that alone is upsetting! ;) Sincerely, -pete. Ken Kousky wrote:
When exploring certification programs it's also important to note that ANSI/OSI have a standard for the certification of professional licensing
and
certification programs. The ANSI/OSI framework does not allow for this
kind
of approach, where you have to buy a specific training product or program.
A professional licensing process should be an independent test of competencies and not a measure of the training program an individual purchases. The DoD 8570 directive endorses ANSI/OSI certified certification programs
-
I think for this reason. It's not buying training but establishing competencies that matters. It's what you know, not what you buy. I think mostgood professional certifications are moving in this direction. We still have a long way to go before the processional standards for competency are clearly codified. Right now, the targeted skills continue
to
evolve with the exploits but we're starting to better understand the need for foundation skills and then specific applications of these skills. KWK
------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/c/wf-spi ------------------------------------------------------------------------
Current thread:
- RE: Mile2 Training (Certifications), (continued)
- RE: Mile2 Training (Certifications) ppsih (Jul 13)
- RE: Mile2 Training (Certifications) Russell Butturini (Jul 13)
- RE: Mile2 Training (Certifications) Panayiotis Psihoyios (Jul 13)
- RE: Mile2 Training (Certifications) Ric Messier (Jul 13)
- Re: Mile2 Training (Certifications) ppsih (Jul 13)
- RE: Mile2 Training (Certifications) Clement Dupuis (Jul 13)
- RE: Mile2 Training (Certifications) Ken Kousky (Jul 15)
- Re: Mile2 Training (Certifications) Pete Herzog (Jul 16)
- Re: Mile2 Training (Certifications) Andrew Blyth (Jul 17)
- Re: Mile2 Training (Certifications) Jamie Riden (Jul 18)
- RE: Mile2 Training (Certifications) Ken Kousky (Jul 17)
- Re: Mile2 Training (Certifications) Pete Herzog (Jul 23)
- Re: Mile2 Training (Certifications) Jamie Riden (Jul 13)
- Certifications Andrew Blyth (Jul 13)
- RE: Mile2 Training (Certifications) Alex Balayan (Jul 11)
- Re: Security Testing Certifications (was Mile2 Training (Certifications)) Pete Herzog (Jul 12)
- RE: Mile2 Training (Certifications) Hope, Sean (Contractor) (Jul 12)