Penetration Testing mailing list archives

RE: My Frustrations

From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Fri, 19 Dec 2008 09:39:47 -0800 (PST)

These are some good points that you raise.  I did a little bit of searching for professional associations that might 
provide unbiased information to organizations looking to engage security consultants.  I had in mind an organization 
that does not endorse a specific certification but would provide a summary of all or most of the relevant ones that 
exist and how they might fit with different kinds of job tasks.  There doesn't appear to be such an organization.  I'm 
sure various individuals have published such reviews.  I know I've seen a lot of banter about it on forums.  But I 
couldn't find such a professional association that doesn't also do certifications themselves, which they promote.  Does 
anybody know of such?  The key here is that all of the reputable organizations promote their own certification and 
don't say very much about any competing ones. I am primarily interested in associations that a U.S. company might look 
to for guidance, but it would
 be interesting to know if such a group has any clout elsewhere in the world.

ISSA might be a good forum for this.  I'm not a member.  Maybe time to go join.


--- On Thu, 12/18/08, Shenk, Jerry A <jshenk () decommunications com> wrote:

From: Shenk, Jerry A <jshenk () decommunications com>
Subject: RE: My Frustrations
To: "pen-test list" <pen-test () securityfocus com>
Date: Thursday, December 18, 2008, 4:31 PM
Is being licensed really all that different from certified? 
I don't
know too many teachers but I know a couple really lousy
ones and every
couple days, I hear some horrible story about a teacher who
had sex with
a student or....  There are bad examples in the medical
profession too
and they're all licensed.  And drivers...they all have
licenses.  My
town requires plumbers and electricians to be licensed and
they also
require that one of those guys who is playing the system
review my work
if I want to do something myself.  I'll bet we can all
come up with
electrical and plumbing stories.

No, I don't think licensure is the answer.  I think
personal
responsibility both from the practitioner and the one
needing the
service (or the checkbox;) is what's really needed.

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]
On Behalf Of Sat Jagat Singh
Sent: Thursday, December 18, 2008 6:54 PM
To: pen-test list
Subject: Re: My Frustrations

Having read your blog post, I would say that I share some
of these
frustrations.  But many organizations are really only
trying to cover
their asses and put a check in the box to say that, yes we
got an
assessment done to satisfy the letter of the regulations. 
These are
companies that are more concerned about the cost of the
project than the
actual security.  While such people tend to get what they
deserve, it
does create a negative reputation for the profession as a
whole.

Yes, I do think it is a "profession", but we have
not "professionalized"
ourselves by requiring licensing.  The industry reliance on
certification rather than licensing as a credential
somewhat serves to
muddy the waters because the decision makers hiring
security consultants
don't really know what a given certification covers. 
We could debate
the value of different certifications until the cows come
home but I
don't want to insult anyone and we can probably agree
that too many of
them do not guarantee that the holder has real
qualifications and the
security unsavy will never really know how to evaluate
that.  More and
more I lean toward some form of professional licensure. 
One of the
states will have to move in this direction before a serious
debate about
it will be opened.  Until then, caveat emptor.

--- On Wed, 12/17/08, Adriel T. Desautels
<ad_lists () netragard com>
wrote:

From: Adriel T. Desautels

<ad_lists () netragard com>

Subject: My Frustrations
To: "pen-test list"

<pen-test () securityfocus com>

Date: Wednesday, December 17, 2008, 11:19 AM
I recently wrote this blog entry and wanted to get

some

comments from readers of this list. I'm frustrated

with

the caliber of the people that are offering security
services and posing as experts, thats the subject of

the

post. Please comment, insult, whatever... I'm
interested.

http://snosoft.blogspot.com/


Adriel T. Desautels
ad_lists () netragard com

------------------------------------------------------------------------

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report

------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are
intended for the use of the individual or entity to which
they are addressed and may contain information that is
privileged, proprietary and confidential. If you are not the
intended recipient, you may not use, copy or disclose to
anyone the message or any information contained in the
message. If you have received this communication in error,
please notify the sender and delete this e-mail message. The
contents do not represent the opinion of D&E except to
the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



      

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------

Current thread:

Re: My Frustrations, (continued)
- - Re: My Frustrations Pete Herzog (Dec 20)
    - Message not available
    - Re: My Frustrations Pete Herzog (Dec 21)
- Re: My Frustrations Dotzero (Dec 18)
- Re: My Frustrations Sat Jagat Singh (Dec 18)
  - RE: My Frustrations Shenk, Jerry A (Dec 18)
    - Re: My Frustrations tony_l_turner (Dec 18)
    - Re: My Frustrations Adriel T. Desautels (Dec 19)
    - Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
    - Re: My Frustrations Adriel T. Desautels (Dec 23)
    - Re: My Frustrations Roman Medina-Heigl Hernandez (Dec 23)
    - RE: My Frustrations Sat Jagat Singh (Dec 19)
    - Re: My Frustrations Pete Herzog (Dec 20)
- Re: My Frustrations Joseph McCray (Dec 19)
  - Re: My Frustrations Adriel T. Desautels (Dec 19)
    - RE: My Frustrations Shenk, Jerry A (Dec 19)
    - Re: My Frustrations Adriel T. Desautels (Dec 19)
  - Re: My Frustrations Cedric Blancher (Dec 19)
- Re: My Frustrations gold flake (Dec 20)
- FW: My Frustrations Erin Carroll (Dec 18)