any one a CSSLP is it worth it?

[dana at vulscan.com (Dana Epp)]

Not sure that would work either though.

Many secdev people are introverts. In their shell, they won't debate
the validity of a position, including a wrong answer. Zone that into a
response in the exam. It's one thing to say "there is no correct
answer", but the way the questions are set at ISC2, its "what is the
BEST answer out of this list". By the end of the 6 hours your eyes are
glossed over as you actually had to think. But its still better than
the 1-2 hr absolute answer exams from many orgs.

I think where Gary nailed it on the head is you have to be a good
developer BEFORE you can be a good at secdev. Poorly written code can
not be trusted. It cannot be safe. The rest is moot.

I have never been one to trust a piece of paper. Education comes from
doing. Book knowledge cannot be the only weapon in a secdev's
experience portfolio. He needs war wounds. Real scars of experience.
He needs to learn from his own experience and apply that as the field
matures and grows. I see far too many people who think because they
opened Ken Van Wyk's, Michael Howard's or Gary McGraw's books that
they now get secdev. Without actually applying that knowledge
transfer. Review their code, and its far from absolute. Especially in
failure code paths. Don't get me wrong... its essential reading. But
its not enough. Doing is.

In the immortal words of Yoda... "Do or do not. There is no try.".

I wonder if a bigger problem is that corps are relying on these
certifications to weed out the bad apples? Does NOT having CSSLP mean
the candidate sucks at secdev? Or the reverse, can anyone who passed
the CSSLP be trusted to get it right all the time? Absolute security
is a fallacy. As is perfect code. With enough money and motive,
anything can be breached. A piece of paper won't stop that. Nor that
crappy piece of code that I didn't properly threat model 15 years ago
that is still in use today.

-- 
Regards,
Dana Epp
Microsoft Security MVP

On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin <Kevin.Wall at qwest.com> wrote:
> Gary McGraw wrote...
>
> > Way back on May 9, 2007 I wrote my thoughts about
> > certifications like these down. ?The article, called
> > "Certifiable" was published by darkreading:
> >
> > http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630
>
> I just reread your Dark Reading post and I must say I agree with it
> almost 100%. The only part where I disagree with it is where you wrote:
>
> ? ? ? ?The multiple choice test itself is one of the problems. I
> ? ? ? ?have discussed the idea of using multiple choice to
> ? ? ? ?discriminate knowledgeable developers from clueless
> ? ? ? ?developers (like the SANS test does) with many professors
> ? ? ? ?of computer science. Not one of them thought it was possible.
>
> I do think it is possible to separate the clueful from the clueless
> using multiple choice if you "cheat". Here's how you do it. You write
> up your question and then list 4 or 5 INCORRECT answers and NO CORRECT
> answers.
>
> The clueless ones are the ones who just answer the question with one of
> the possible choices. The clueful ones are the ones who come up and argue
> with you that there is no correct answer listed. ;-)
>
> -kevin
> ---
> Kevin W. Wall ? ? ? ? ? Qwest Information Technology, Inc.
> Kevin.Wall at qwest.com ? ?Phone: 614.215.4788
> "It is practically impossible to teach good programming to students
> ?that have had a prior exposure to BASIC: as potential programmers
> ?they are mentally mutilated beyond hope of regeneration"
> ? ?- Edsger Dijkstra, How do we tell truths that matter?
> ? ? ?http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful. ?If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
> _______________________________________________