Secure Coding mailing list archives

Blog skiiers versus snowboarders CISSPs vs programmers


From: list-spam at secureconsulting.net (Benjamin Tomhave)
Date: Wed, 13 Jan 2010 08:23:53 -0500

I'm not even sure why we're talking about CISSPs in this regard. Having
a CISSP proves nothing; it's merely a blind HR/recruiter checklist item.
I've personally met dozens of CISSPs who can't answer the most basic of
security questions.

The short-term comes down to what Gary talked about recently, which is
getting a software security group (or team) established and functioning
well. Over time, outreach and education run by the SSG then begins to
permeate the organization until, hopefully, some day, the SSG can shrink
or dissolve and let security stand on its own. We obviously have a long
way to go as an industry before we reach that point.

fwiw.

-ben

Arian J. Evans wrote:
The software security problem is a huge problem. There are not enough
CISSPs to even think about solving this problem.

CISSPs probably should have a tactical role helping categorize,
classify, and facilitate getting things done. Scanner jockeys and
network security folk will lead the operational charge to WAF and
block and such. (good or bad, you're gonna need this stuff, the
problem is just too darn big)

I don't think many good devs who enjoy building are going to want to
change careers to do source code audits. That gets mind numbing
awfully fast.

Developers definitely have a role to play in solving a lot of the
basic syntax-attack stuffs, by proper selection and application of
modern frameworks, technologies, and gap-APIs (like ESAPI). Most
CISSPs lack the skill to provide much value here.

Design issues will always exist, unless users some day wake up and
decide they prefer security over usability. But I don't see that
happening any time soon. Heck, my password on all my work machines is
"password".

$0.02 USD.

---
Arian Evans
capitalist marksman. eats animals.



On Tue, Jan 12, 2010 at 8:44 AM, Matt Parsons <mparsons1980 at gmail.com> wrote:
I wrote a blog in the state of software security using the analogy of skiers
versus snowboarder in the early 90's.

Please let me know your thoughts and comments by replying to this list or my
blog.

http://parsonsisconsulting.blogspot.com/



Thanks,
Matt



Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
mailto:mparsons1980 at gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/





_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________

_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________



-- 
Benjamin Tomhave, MS, CISSP
tomhave at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"I have no special talent. I am only passionately curious."
Albert Einstein


Current thread: