Hi Yo (and everyone else), I'm afraid that the current test focuses all of its attention on BUGS (in C/C++ and Java). While we certainly need to erradicate simple security bugs, there is much more to software security than the bug parade. Plus when you look into the material, the multiple choice format makes determining the correct answer impossible at times.
I would rather move away from learning about bugs to learning about defensive programming to avoid bugs in the first place. The SANS material focuses entirely on the negative as far as I can tell. Here's a bug, there's a bug, everywhere a bug bug. Better than nothing? Maybe. SANS is very good an soliciting everyone's opinion, piling it all up in a nice package, and then charging users for the result. SANS is a for profit entity, not a university or a non-profit. Please don't forget that. As much as I would love to see a way to determine whether a random coder has security clue, I'm afraid all we will get out of this effort is perhaps a bit more awareness. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Peeters Sent: Saturday, May 12, 2007 6:11 AM To: SC-L@securecoding.org Subject: Re: [SC-L] Darkreading: Secure Coding Certification I agree that multiple choice alone is inadequate to test the true breadth and depth of someone's security knowledge. Having contributed a few questions to the SANS pool, I take issue with Gary's article when it implies that you can pass the GSSP test while clueless. There is indeed a body of knowledge that is being tested. SANS has been soliciting comments on the document. kr, Yo On 5/11/07, Gary McGraw <[EMAIL PROTECTED]> wrote: > Hi all, > > As readers of the list know, SANS recently announced a certification scheme > for secure programming. Many vendors and consultants jumped on the > bandwagon. I'm not so sure the bandwagon is going anywhere. I explain why > in my latest darkreading column: > > http://www.darkreading.com/document.asp?doc_id=123606 > > What do you think? Can we test someone's software security knowledge with a > multiple choice test? Anybody seen the body of knowledge behind the test? > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ > -- Johan Peeters http://johanpeeters.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
