Secure Coding mailing list archives
CSSLP
From: Paco at cigital.com (Paco Hope)
Date: Mon, 23 Mar 2009 16:22:52 -0400
On 3/21/09 6:43 PM, "Jim Manico" <jim at manico.net> wrote:
What really bothers me is that the CSSLP looks appsec operations focused - not developer SDLC focused (or so I've heard). The SANS cert for software security seems to drill a lot more into actual activities a developer should take in order write secure code and seems somewhat reasonable to me. I think a secure software architecture cert would round out current offerings well.
As a SME for that exam (i.e., one of the guys who makes exam questions and such), you're exactly right. It definitely is skewed towards a holistic, operations-type feel. However, you've misidentified its target. The target of the CSSLP is anyone involved in the software (though perhaps we should say "system") development lifecycle. It targets not just developers, but also testers, release managers, test managers, and others who are important to the big picture of getting software out the door. It's not a certified secure developer (i.e., code-slinger). The person who holds the cert should be acquainted with security in more phases of the lifecycle than just one. It does not, however, certify them as a security ninja in any phase. There was another comment about the CISSP that I found poignant: "It was too damn easy to pass and too damn hard to keep up with the CPE point entry..." Although point entry is tedious, it keeps the cert honest. You can't spend 3 years converting oxygen into CO2 and remain certified. You actually have to do a few things. A CISSP person who has renewed once or twice is quite different from someone who has passed the exam after a cram session. Someone who certified once and lets their certification lapse is indistinguishable from the marginally-qualified candidate who crammed, passed, but ultimately couldn't maintain their cert. To reject certifications altogether is (to me) to endorse a continuation of the wild, wild west attitude towards security. Hire the best gunslinger you can get, and figure out who that is by word of mouth, rumor, and wanted posters at the post office. Like it or not, the citizens of this wild west are going to demand governance by a recognizable authority. Sooner or later these badge-wearing officials will come to town, and the scofflaws will be marginalized. The era of Wild Bill Hickock and Billy the Kid are over. It's only a matter of time before, for better or worse, the law moves in. We need to be on the right side, shaping those laws, not avoiding them. (Apologies to our international audience for an intensely US-centric metaphor) Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved.
Current thread:
- Announcing LAMN: Legion Against Meaningless certificatioNs, (continued)
- Announcing LAMN: Legion Against Meaningless certificatioNs SC-L Reader Dave Aronson (Mar 19)
- Announcing LAMN: Legion Against MeaninglesscertificatioNs Goertzel, Karen [USA] (Mar 19)
- Announcing LAMN: Legion Against Meaningless certificatioNs Benjamin Tomhave (Mar 19)
- Announcing LAMN: Legion Against Meaningless certificatioNs Jeremy Epstein (Mar 19)
- Announcing LAMN: Legion Against MeaninglesscertificatioNs Tom Brennan - OWASP (Mar 19)
- Announcing LAMN: Legion Against Meaningless certificatioNs Paco Hope (Mar 19)
- Announcing LAMN: Legion Against Meaningless certificatioNs Joe Teff (Mar 20)
- Announcing LAMN: Legion Against Meaningless certificatioNs Bret Watson (Mar 21)
- Announcing LAMN: Legion Against Meaningless certificatioNs Benjamin Tomhave (Mar 21)
- Announcing LAMN: Legion AgainstMeaningless certificatioNs Jim Manico (Mar 21)
- CSSLP Paco Hope (Mar 23)
- CSSLP Rob Floodeen (Mar 23)
- Message not available
- CSSLP Bret Watson (Mar 24)
- Announcing LAMN: Legion Against Meaningless certificatioNs Joe Teff (Mar 20)
- Announcing LAMN: Legion Against Meaningless certificatioNs SC-L Reader Dave Aronson (Mar 19)
- Announcing LAMN: Legion Against Meaningless certificatioNs Gary McGraw (Mar 23)