[SC-L] What defines an InfoSec Professional?
SC-L Subscriber Dave Aronson
secureCoding2dave at davearonson.com
Fri Mar 9 09:50:36 EST 2007
James.McGovern at thehartford.com writes:
> certifications such as CISSP whereby the exams that
> prove you are a security professional talk all about
> physical security and network security but really don't
> address software development in any meaningful way.
Perhaps what is needed is a separate certification. It would be nice to know that someone knows how to write software in a secure manner, but it's not necessary that they know all about physical security, firewall rules, etc. It could even be done at multiple levels, like Sun's Java certs, to certify knowledge of secure design principles vs. secure *implementation* principles, maybe even going onward to principles of building security into the process. Something like, say, Certified Secure Programmer, Coder, and Software Engineer, respectively.
> Would be intriguing for folks here that blog to discuss ways
...in their blogs? <rant size="micro">That's not discussion, that's pontificating. It also detracts from discussion, by fracturing it.</rant> Discussion is what we're having *here*, so whether someone blogs is irrelevant.
-Dave
More information about the SC-L
mailing list