> 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT > professionals such as those who work in large enterprises have no > motivation to pursue. > > 2. The target price for the exams will be an impediment as many folks who > can't get reimbursed for taking them will not bother.
Agreed. There might be some value to a software development outsourcing company, but that will limit coverage. I definitely know that the pricing issue would prevent me from taking the exam, but I'm in nonprofit/charity work; I am not representative of most of the industry.... > 3. It needs to be more language agnostic. Folks who code in Smalltalk, > Ruby or scripting languages should not be treated as second class citizens Agreed in concept to the "no second-class citizens" idea. But I think the test needs to have a language-specific element to it. Every language and environment has unique pitfalls and security considerations. A developer who knows to avoid memory management, buffer, and integer issues in C may have no clue about nul-poisoning in a web scripting language's counted (as opposed to zero-terminated) strings. > 4. I would not measure "experience" but desire to pursue knowledge. > Experience over time can get static. How many of us know a COBOL > programmer who has had one years of experience twenty times. To me, the "experience" qualification isn't so much "how many years of coding", but how much has the person actually practiced "secure coding"? An experienced secure coder is much more able to recognize, at a glance, issues in the code and in the design, as compared to someone who has been recently trained at a secure coding "boot camp". But I do agree with you that experience in terms of time is a somewhat rough metric. Greg. _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________