WebApp Sec mailing list archives
RE: Notes from CISSP class with Dr. Eric Cole
From: "Mark Roxberry" <mroxberr () msn com>
Date: Wed, 12 Oct 2005 14:29:46 -0400
"That customer now checks the background
and even tests CISSP before they are allowed to do any work."
"allowed to do any work" CISSP is not for techs, plain and simple. There are those that use it to boost their image as a tech, but it's not tech. It's like asking an MBA to be a retail clerk. Personally, as a CISSP, I consult clients on Risk Analysis, Disaster Recovery Planning and Business Continuity, and Legal / Investigative (Forensic Analysis). I farm out tech work to many different companies (IDS/IPS providers, Physical security providers). Like finding a specialist. Does that make me unqualified as a pen-tester with 5 letters after my name? Sure. So what? You can get an MD in Guatemala or order your JD online. Just a bunch of letters. One thing that my experience as a CISSP has taught me, of all fields, DUE DILIGENCE is mandatory. The anecdotes provided only show that companies hiring people are not performing due diligence. They're even more guilty than the fraud they hired. Mark Roxberry, CISSP
-----Original Message----- From: kgp () nethere com [mailto:kgp () nethere com] Sent: Wednesday, October 12, 2005 12:24 PM To: Saqib Ali Cc: intel96; PPowenski () oag com; dreamwvr () dreamwvr com; webappsec () securityfocus com Subject: Re: Notes from CISSP class with Dr. Eric Cole I'm glad this was stated. I was going to say something similar but Saqib said it more eloquently. I will reinforce the statement. An SSCP should be able to perform some technical skills (this hasn't caught on however). A CISSP is a managerial qualification. Lee Iacocca better know damn well how to manage car manufacturing, risks, architecture, and appropriate laws. But it would be a mistake to think he could go operate the machinery. I'd even go so far as to say he may know a great deal about the machinery (mean time to failure, load capacities, etc) but he wouldn't know what knobs to turn or buttons to push. Nothing in the CISSP focuses on anything very technical. Why would we expect a CISSP to do things we didn't test them on? Kevin Quoting Saqib Ali <docbook.xml () gmail com>:The second case involved a pentest where a CISSP had conducted aprojectfor a web portal. The CISSP told the customer the portal was secure, but the customer had concerns about the quality of the work perform. Again I was called in to check the other CISSP's work and I was abletogain root access in 6 hours. That customer now checks the background and even tests CISSP before they are allowed to do any work.It is not the job of a CISSP to tell if a application is secure (hack proof) or not. It is like asking a District Attorney to perform Police Detective work. It doesn't work like that. You need a different skillset to perform detective work. -- In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- Re: Notes from CISSP class with Dr. Eric Cole, (continued)
- Re: Notes from CISSP class with Dr. Eric Cole Eoin Keary (Oct 11)
- Re: Notes from CISSP class with Dr. Eric Cole dreamwvr (Oct 11)
- Re: Re: Notes from CISSP class with Dr. Eric Cole f_kenisky (Oct 11)
- Re: RE: Notes from CISSP class with Dr. Eric Cole f_kenisky (Oct 11)
- RE: RE: Notes from CISSP class with Dr. Eric Cole Craig Wright (Oct 12)
- RE: Notes from CISSP class with Dr. Eric Cole PPowenski (Oct 12)
- Re: Notes from CISSP class with Dr. Eric Cole intel96 (Oct 12)
- Re: Notes from CISSP class with Dr. Eric Cole Saqib Ali (Oct 12)
- Re: Notes from CISSP class with Dr. Eric Cole intel96 (Oct 12)
- Re: Notes from CISSP class with Dr. Eric Cole kgp (Oct 12)
- RE: Notes from CISSP class with Dr. Eric Cole Mark Roxberry (Oct 12)
- Re: Notes from CISSP class with Dr. Eric Cole intel96 (Oct 12)
- Re: Notes from CISSP class with Dr. Eric Cole Saqib Ali (Nov 02)