CSSLP

[Paco at cigital.com (Paco Hope)]

On 3/21/09 6:43 PM, "Jim Manico" <jim at manico.net> wrote:

> What really bothers me is that the CSSLP looks appsec operations focused - not
> developer SDLC focused (or so I've heard). The SANS cert for software
> security seems to drill a lot more into actual activities a developer should
> take in order write secure code and seems somewhat reasonable to me. I think a
> secure software architecture cert would round out current offerings well.

As a SME for that exam (i.e., one of the guys who makes exam questions and
such), you're exactly right. It definitely is skewed towards a holistic,
operations-type feel. However, you've misidentified its target.

The target of the CSSLP is anyone involved in the software (though perhaps
we should say "system") development lifecycle. It targets not just
developers, but also testers, release managers, test managers, and others
who are important to the big picture of getting software out the door. It's
not a certified secure developer (i.e., code-slinger). The person who holds
the cert should be acquainted with security in more phases of the lifecycle
than just one. It does not, however, certify them as a security ninja in any
phase.

There was another comment about the CISSP that I found poignant: "It was too
damn easy to pass and too damn hard to keep up with the CPE point entry..."

Although point entry is tedious, it keeps the cert honest. You can't spend 3
years converting oxygen into CO2 and remain certified. You actually have to
do a few things. A CISSP person who has renewed once or twice is quite
different from someone who has passed the exam after a cram session. Someone
who certified once and lets their certification lapse is indistinguishable
from the marginally-qualified candidate who crammed, passed, but ultimately
couldn't maintain their cert.

To reject certifications altogether is (to me) to endorse a continuation of
the wild, wild west attitude towards security. Hire the best gunslinger you
can get, and figure out who that is by word of mouth, rumor, and wanted
posters at the post office. Like it or not, the citizens of this wild west
are going to demand governance by a recognizable authority. Sooner or later
these badge-wearing officials will come to town, and the scofflaws will be
marginalized. The era of Wild Bill Hickock and Billy the Kid are over. It's
only a matter of time before, for better or worse, the law moves in. We need
to be on the right side, shaping those laws, not avoiding them.

(Apologies to our international audience for an intensely US-centric
metaphor)

Paco
-- 
Paco Hope, CISSP, CSSLP
Technical Manager, Cigital, Inc
http://www.cigital.com/ ? +1.703.585.7868
Software Confidence. Achieved.