> [...] I do suspect that some of it is tied to the romance of > certifications such as CISSP whereby the exams that prove you are a > security professional talk all about physical security and network > security but really don't address software development in any meaningful > way. [...]
That's interesting. While I have not taken the CISSP, I have studied it a bit, and software & app development security is supposed to be one of the 10 domains that the test covers. Perhaps one of the issues here is that if you are in operations work (network security, etc.), there are more aspects of the CISSP that are relevant to your daily work. In software development, there is usually just the one - app development sec - that the developer thinks about, unless the code has inherent security functionality, in which case access control, architecture/models, and cryptography can be important too. I agree that the software developer is a key part of the security big picture. In fact one of the reasons that firewalls have become so popular today is because of software bugs in host OS's and services... But software dev is unique in several ways that mean that it may be hard for the CISSP to cover it in a balanced manner. Teaching an IT person about fire and lightning protection, or about routers or firewalls, about ACL's, or even about risk management, does not have a steep learning curve. But learning the basics needed to really understand even high-level concepts regarding software security & high-assurance development practices is a much higher learning curve endeavor, in my view, for the typical IT person. A few questions, then -- should all developers be/become security professionals? Even the most innocent "pet project" application can end up having worldwide security implications, given the way apps can be rapidly popularized these days. What qualifications should a developer meet, to be a "security professional"? Should there be something like the Common Criteria EAL's, but somewhat less formal, to encourage broader use in labeling projects and code, esp. in the open-source world? - Greg 08-Mar-2007 _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________