Blog skiiers versus snowboarders CISSPs vs programmers

[James.R.Lindley at irs.gov (Lindley James R)]

I am the designated certification hog (see sigblok) for my group, which
does source code security analysis and pen testing.  So I'm fairly
familiar with what goes into getting and keeping these certs.  And I
don't think that a CISSP is nearly specific enough for software source
code security

Now, I'm not too sure about skiers vs snowboarders, because I've never
done either (acrophobic and unwilling to fall down in slush), but I have
described what I do in source code analysis as "plumbing inspection",
because I have done plumbing.  So if I want to explain to people just
what my job entails, I generally read from the following gospel points.

* If there is one word I would remove from the lexicon of software
development, it is the word "developer", which has as much meaning in
the maturing disciplines of software architecture, engineering, and
construction as the word "scientist" now has in science.  The more
mature a discipline becomes, the more specialized (siloed?) is the
knowledge of the practitioners and the more specifically we have to
describe what they do in order to attain precision.  Joseph Priestly and
Ben Franklin may have been scientists, but no one today is a "chemist"
or even a "physicist", much less a "scientist" in that older sense.
Properly named, they may be an "organic chemist" or "theoretical
physicist specializing in string theory". When people say "developer" in
regard to software engineering, to whom are they referring.  Because
every phases of software development takes a person with a specific
psychological nature and skill set.

* The gregarious nature of a requirements engineer with good writing
skills to identify the stakeholders and use interviewing (and sometimes,
interrogation) techniques to tease out the stake holder's descriptions
of what they want and convert the stakeholders statements to well
written problem space requirements and then to help the project manager
get stakeholder buy-in. The requirements engineer produces the "problem
space".  The requirements engineer is a "people" person.

* The detail oriented nature and rigorous technical/mathematical skills
of the specification engineer, who turns the problem space statements
into mathematically resolvable solution space specifications, where the
boolean results of specification satisfaction generally depends on an
underlying arithmetic condition.  Because if a specification doesn't
resolve mathematically, you can't test it. (Sorry, married to a very
good QA Director.)  The specification writer (engineer) produces the
solution space.

* The visionary, generalist nature of a designer with broad knowledge of
the various technologies and components that will be able to satisfy the
specifications. Able to create detailed data schema and HIPO-type
functions charts, data item definitions, etc.  The architect.  In my
time, thoroughly familiar with James Martin graphics, now with UML and
other such representations.

* The code writer, very detail oriented and skilled in speaking and
writing a non-native language.  In a software construction comparison to
home construction, these are the bricklayers, electricians, carpenters,
plumbers. Able to turn the designer's work into source code.  A code
writer must be thought of as a craftsman at wordsmithery in a non-native
language.  The code writer produces the bricks and mortar of software
construction.  Usually not a people person?

* In far too many software construction enterprises that I have served
with, "giving the requirements to the developers" has meant
short-circuiting from requirements to code writing, which is like
gathering a carpenter, a plumber, an electrician, etc., on an acre lot
and saying, "I want a three bedroom, two bath house on this lot.  Build
me a house."

* Now, if what I do (source code security analysis) is plumbing
inspection, it means that 1) I MUST BE EITHER A MASTER PLUMBER or VERY
WELL VERSED in speaking and writing the same language as the code writer
(i.e., I have to know what good plumbing looks like), 2) I must be VERY
FAMILIAR with poorly constructed source code in that language (I have to
know what bad plumbing looks like), 3) I must know how to REPAIR bad
plumbing, and 4) I don't analyze or assess anything from the
architectural phases (requirements, specifications, design).  So my
plumbing inspector has the psychology and skill set of a code writer
PLUS an ability to teach (explain the results to both technical and
non-technical personnel).

* When it comes to certifications here, pretty much every certification
that I list below is irrelevant (I have an old unlisted C/C++ cert).
I'm looking for (and studying for) a Sun Certified Java Programmer
(SCJP) or a Microsoft Certified Software Developer (MCSD).  I can teach
a good plumber (code writer) how to inspect (analyze code security) in
six+ months at most.  But I don't have the time to teach them plumbing
(coding), especially since the security team DOESN'T plumb (write
programs).  If they aren't good plumbers when they get here, I don't
have the time to teach them the craft.

So, to conclude the rant, IMNSHO, source code security analysis is a
VERY SPECIALIZED sub-field of software construction and DEPTH of
knowledge of code writing is far more valuable than BREADTH of knowledge
of security.  And no tool will ever replace the human element here,
because great craftsmen produce works of art in software form.  And
appreciating a work of art requires a human mind.

JimL
James R Lindley
Senior Technical Analyst
CISSP-ISSAP/ISSEP/ISSMP, CSSLP, CISA, PMP, CHS-III, CNE, 
SSE-CMM Appraiser, MCSE, MCT, CNSS 4013, A+
Advanced Technical Analysis Team
Security Engineering
MITS Cybersecurity
OS:CIO:CS:SE:AA
Cube: NCFB C6-462
Cube: 202-283-1590
Cell: 410-703-4127
An unquenchable thirst for Pierian waters.
 

The information contained in this electronic message and any attachments
contains information that may be confidential and/or privileged.  If you
are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution or use of this information is strictly
prohibited.  If you have received this communication in error, please
notify James R. Lindley immediately by e-mail or by telephone at
202-283-1590, and destroy this communication.  Thank you.

 

-----Original Message-----
From: sc-l-bounces at securecoding.org
[mailto:sc-l-bounces at securecoding.org] On Behalf Of Benjamin Tomhave
Sent: Wednesday, January 13, 2010 8:24 AM
To: Secure Coding
Subject: Re: [SC-L] Blog skiiers versus snowboarders CISSPs vs
programmers

I'm not even sure why we're talking about CISSPs in this regard. Having
a CISSP proves nothing; it's merely a blind HR/recruiter checklist item.
I've personally met dozens of CISSPs who can't answer the most basic of
security questions.

The short-term comes down to what Gary talked about recently, which is
getting a software security group (or team) established and functioning
well. Over time, outreach and education run by the SSG then begins to
permeate the organization until, hopefully, some day, the SSG can shrink
or dissolve and let security stand on its own. We obviously have a long
way to go as an industry before we reach that point.

fwiw.

-ben

Arian J. Evans wrote:
> The software security problem is a huge problem. There are not enough 
> CISSPs to even think about solving this problem.
>
> CISSPs probably should have a tactical role helping categorize, 
> classify, and facilitate getting things done. Scanner jockeys and 
> network security folk will lead the operational charge to WAF and 
> block and such. (good or bad, you're gonna need this stuff, the 
> problem is just too darn big)
>
> I don't think many good devs who enjoy building are going to want to 
> change careers to do source code audits. That gets mind numbing 
> awfully fast.
>
> Developers definitely have a role to play in solving a lot of the 
> basic syntax-attack stuffs, by proper selection and application of 
> modern frameworks, technologies, and gap-APIs (like ESAPI). Most 
> CISSPs lack the skill to provide much value here.
>
> Design issues will always exist, unless users some day wake up and 
> decide they prefer security over usability. But I don't see that 
> happening any time soon. Heck, my password on all my work machines is 
> "password".
>
> $0.02 USD.
>
> ---
> Arian Evans
> capitalist marksman. eats animals.
>
>
>
> On Tue, Jan 12, 2010 at 8:44 AM, Matt Parsons <mparsons1980 at gmail.com>
wrote:
> > I wrote a blog in the state of software security using the analogy of

> > skiers versus snowboarder in the early 90's.
> >
> > Please let me know your thoughts and comments by replying to this 
> > list or my blog.
> >
> > http://parsonsisconsulting.blogspot.com/
> >
> >
> >
> > Thanks,
> > Matt
> >
> >
> >
> > Matt Parsons, MSM, CISSP
> > 315-559-3588 Blackberry
> > 817-294-3789 Home office
> > mailto:mparsons1980 at gmail.com
> > http://www.parsonsisconsulting.com
> > http://www.o2-ounceopen.com/o2-power-users/
> > http://www.linkedin.com/in/parsonsconsulting
> > http://parsonsisconsulting.blogspot.com/
> >
> >
> >
> >
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L at securecoding.org List 
> > information, subscriptions, etc - 
> > http://krvw.com/mailman/listinfo/sc-l
> > List charter available at -
> > http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC
> > (http://www.KRvW.com) as a free, non-commercial service to the
software security community.
> > _______________________________________________
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org List 
> information, subscriptions, etc - 
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at -
> http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC
> (http://www.KRvW.com) as a free, non-commercial service to the
software security community.
> _______________________________________________

--
Benjamin Tomhave, MS, CISSP
tomhave at secureconsulting.net
Blog: http://www.secureconsulting.net/
Twitter: http://twitter.com/falconsview
LI: http://www.linkedin.com/in/btomhave

[ Random Quote: ]
"I have no special talent. I am only passionately curious."
Albert Einstein
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org List
information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC
(http://www.KRvW.com) as a free, non-commercial service to the software
security community.
_______________________________________________