Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Announcing LAMN: Legion AgainstMeaningless certificatioNs

From: jim at manico.net (Jim Manico)
Date: Sat, 21 Mar 2009 12:43:59 -1000
It really depends on what you are hiring for. 

If we are talking App/Software security - like Gary has said many times - I would rather hire a software guy and train 
them about security. Doing it the other way around is almost impossible. How can you really do software security if you 
are netsec expert with no experience writing real software? This is especially true if you are taking a more strategic 
approach to software security. 

And the opposite is true - hiring a coder to lock down a network probably isn't the best hiring choice! =)

What really bothers me is that the CSSLP looks appsec operations focused - not developer  SDLC focused (or so I've 
heard). The SANS cert for software security seems to drill a lot more into actual activities a developer should take in 
order write secure code and seems somewhat reasonable to me. I think a secure software architecture cert would round 
out current offerings well. 

  ----- Original Message ----- 
  From: Joe Teff 
  To: SC-L at securecoding.org 
  Sent: Friday, March 20, 2009 8:38 PM
  Subject: Re: [SC-L] Announcing LAMN: Legion AgainstMeaningless certificatioNs


  I notice certs like CISSP when hiring. It says the person has a basic understanding of all IS security areas. Nothing 
more. If someone can't pass the CISSP then I have to wonder why.



    -----Original Message-----
    From: Paco Hope <Paco at cigital.com>
    To: "SC-L at securecoding.org" <SC-L at securecoding.org>
    Date: Thu, 19 Mar 2009 11:36:45 -0400
    Subject: Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs


    On 3/18/09 5:29 PM, "Jeremy Epstein" <jeremy.j.epstein at gmail.com> wrote:

    > If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it

    ...then I'd say you have an overly simplistic view of the world.

    Anyone who believes that a credential automatically conveys some magical
    knowledge that you didn't have before is just as overly-simplistic as
    someone who disparages all credentials equally. It just isn't a black and
    white world. 

    Paco
    -- 
    Paco Hope, CISSP, CSSLP
    Technical Manager, Cigital, Inc
    http://www.cigital.com/ ? +1.703.585.7868
    Software Confidence. Achieved.


    _______________________________________________
    Secure Coding mailing list (SC-L) SC-L at securecoding.org
    List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
    List charter available at - http://www.securecoding.org/list/charter.php
    SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
    as a free, non-commercial service to the software security community.
    _______________________________________________



------------------------------------------------------------------------------


  _______________________________________________
  Secure Coding mailing list (SC-L) SC-L at securecoding.org
  List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
  List charter available at - http://www.securecoding.org/list/charter.php
  SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
  as a free, non-commercial service to the software security community.
  _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20090321/db00672c/attachment.html
Previous By Date Next
Previous By Thread Next

Current thread: