Re: [SC-L] What defines an InfoSec Professional?
On Thu, 8 Mar 2007, Greg Beeley wrote: > Perhaps one of the issues here is that if you are in operations work > (network security, etc.), there are more aspects of the CISSP that are > relevant to your daily work. In software development, there is usually > just the one - app development sec - that the developer thinks about, > unless the code has inherent security functionality, in which case > access control, architecture/models, and cryptography can be important > too. Secure development certification will hopefully come to the marketplace in droves in the next year or two. One organization is not-so-privately-but-technically-not-yet-publicly preparing to roll something out in the coming months, and hopefully that will inspire others. Insert obligatory cert disclaimer here, but geez it's badly needed to raise the bar even a hair. > developer meet, to be a "security professional"? Should there be > something like the Common Criteria EAL's, but somewhat less formal, > to encourage broader use in labeling projects and code, esp. in the > open-source world? Dave Litchfield and I have *very* casually investigated forming a CC-like concept of Vulnerability Assessment Assurance Levels (VAAL) which is intended to reflect the depth of a vuln researcher's analysis as some crude but semi-repeatable measure of assurance. i've also done some thinking about vulnerability complexity, and I assume I've mentioned my vulnerability theory work on this list since I never shut up about it. Such concepts could be turned around to reflect the depth of understanding that a developer has - e.g. they know enough to try to strip out
Re: [SC-L] What defines an InfoSec Professional?
> [...] I do suspect that some of it is tied to the romance of > certifications such as CISSP whereby the exams that prove you are a > security professional talk all about physical security and network > security but really don't address software development in any meaningful > way. [...] That's interesting. While I have not taken the CISSP, I have studied it a bit, and software & app development security is supposed to be one of the 10 domains that the test covers. Perhaps one of the issues here is that if you are in operations work (network security, etc.), there are more aspects of the CISSP that are relevant to your daily work. In software development, there is usually just the one - app development sec - that the developer thinks about, unless the code has inherent security functionality, in which case access control, architecture/models, and cryptography can be important too. I agree that the software developer is a key part of the security big picture. In fact one of the reasons that firewalls have become so popular today is because of software bugs in host OS's and services... But software dev is unique in several ways that mean that it may be hard for the CISSP to cover it in a balanced manner. Teaching an IT person about fire and lightning protection, or about routers or firewalls, about ACL's, or even about risk management, does not have a steep learning curve. But learning the basics needed to really understand even high-level concepts regarding software security & high-assurance development practices is a much higher learning curve endeavor, in my view, for the typical IT person. A few questions, then -- should all developers be/become security professionals? Even the most innocent "pet project" application can end up having worldwide security implications, given the way apps can be rapidly popularized these days. What qualifications should a developer meet, to be a "security professional"? Should there be something like the Common Criteria EAL's, but somewhat less formal, to encourage broader use in labeling projects and code, esp. in the open-source world? - Greg 08-Mar-2007 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What defines an InfoSec Professional?
What Garigue was trying to say is that deploying a firewall on a network is not security's mandate; it is _part of_ running a network. Basic hygiene. Brushing your teeth is part of having teeth. Deploying anti-virus on a windows desktop is not security; it is _part of_ operating a desktop. This is an important distinction, because it captures why so much security spend is targeted at the wrong issues. Security evolved out of operations, and today we all still live with this historical baggage. If you want to operate a network or a desktop in an enterprise, you have certain security responsibilities defined by information security policy...perhaps even backed up mechanisms, good for you, but these have little to do with information security, much like going to a dentist that just told you to brush your teeth and gave you a tooth brush would have extremely limited valueyet this is what we get from information security groups across this great cyberland of ours. I would point you to the fallacy of keeping up with the Jones' explored in detail at the Justice League http://www.cigital.com/justiceleague/2007/02/22/keeping-up-with-the-jones-se curity-initiatives/ Security groups that help businesses make risk tradeoffs based on functionality, time, and cost add value (you know just like software development does). "Amateurs study cryptography; professionals study economics." -- Allan Schiffman -gp On 3/8/07 1:07 PM, "Shea, Brian A" <[EMAIL PROTECTED]> wrote: > The right answer is both IMO. You need the thinkers, integrators, and > operators to do it right. The term Security Professional at its basic > level simply denotes someone who works to make things secure. > > You can't be secure with only application security any more than you can > be secure with only firewalls or NIDs. The entire ecosystem and > lifecycle must be risk managed and that is accomplished by security > professionals. Each professional may have a specialty due to the > breadth of topics covered by Security (let's not forget our Physical > Security either), but all would be expected to act as professionals. > Professionals in this definition being people who are certified and > expected to operate within specified standards of quality and behavior > much like CISSP, CPA, MD, etc. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson > Sent: Thursday, March 08, 2007 9:13 AM > To: [EMAIL PROTECTED] > Cc: SC-L@securecoding.org > Subject: Re: [SC-L] What defines an InfoSec Professional? > > actually just the former. Robert Garigue characterized firewalls, nids, > et al as good network hygiene. The equivalent of a dentist telling you > to brush your teeth. An infosec pro needs much more depth than that. The > model is charlemagne > > http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html > > -gp > -Original Message- > From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> > Date: Thursday, Mar 8, 2007 10:27 am > Subject: [SC-L] What defines an InfoSec Professional? > > If you have two individuals, one of which has been practicing secure > coding= > practices and encouraging others to do so for years while another > individu= al was involved with firewalls, intrusion detection, > information security p= olicies and so on, are they both information > security professionals or just= > the later? > > > > * This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution > is strictly prohibited. If you are not the intended recipient, please > notify the sender immediately by return e-mail, delete this > communication and destroy all copies. > > * > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What defines an InfoSec Professional?
On 3/9/07, McGovern, James F (HTSC, IT) <[EMAIL PROTECTED]> wrote: Traditionally InfoSec folks defined themselves as being knowledgable in firewalls, policies, etc. Lately, many enterprises are starting to recognize the importance of security within the software development lifecycle where even some have acknowledged that software is a common problem space for those things traditionally thought of as infrastructure. The harder part is not in terms of recognizing the trend but in terms of folks from the old world acknowledging folks from the new world (software development) also as security professionals. I haven't seen many folks make this transition. I do suspect that some of it is tied to the romance of certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Would be intriguing for folks here that blog to discuss ways for folks to transition / acknowledge respect not as just software developers with a specialization in security but in being true security professionals and treat them like peers all working on one common goal. i hear you on this one. australia, at least melbourne, still doesn't seem to have any idea of software/application security professionals. almost all jobs that have 'security' in them, then go on to talk about all the firewalls you must know how to configure. *sigh*. then there is the pen-testing side. there's should be a new field, "security design" that accompanies application architect, etc. then you have professional guidance of the security issues when building for app. -Original Message- From: Shea, Brian A [mailto:[EMAIL PROTECTED] Sent: Thursday, March 08, 2007 2:07 PM To: Gunnar Peterson; McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] What defines an InfoSec Professional? The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply denotes someone who works to make things secure. You can't be secure with only application security any more than you can be secure with only firewalls or NIDs. The entire ecosystem and lifecycle must be risk managed and that is accomplished by security professionals. Each professional may have a specialty due to the breadth of topics covered by Security (let's not forget our Physical Security either), but all would be expected to act as professionals. Professionals in this definition being people who are certified and expected to operate within specified standards of quality and behavior much like CISSP, CPA, MD, etc. * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- mike 00110001 <3 00110111 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What defines an InfoSec Professional?
Traditionally InfoSec folks defined themselves as being knowledgable in firewalls, policies, etc. Lately, many enterprises are starting to recognize the importance of security within the software development lifecycle where even some have acknowledged that software is a common problem space for those things traditionally thought of as infrastructure. The harder part is not in terms of recognizing the trend but in terms of folks from the old world acknowledging folks from the new world (software development) also as security professionals. I haven't seen many folks make this transition. I do suspect that some of it is tied to the romance of certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Would be intriguing for folks here that blog to discuss ways for folks to transition / acknowledge respect not as just software developers with a specialization in security but in being true security professionals and treat them like peers all working on one common goal. -Original Message- From: Shea, Brian A [mailto:[EMAIL PROTECTED] Sent: Thursday, March 08, 2007 2:07 PM To: Gunnar Peterson; McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] What defines an InfoSec Professional? The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply denotes someone who works to make things secure. You can't be secure with only application security any more than you can be secure with only firewalls or NIDs. The entire ecosystem and lifecycle must be risk managed and that is accomplished by security professionals. Each professional may have a specialty due to the breadth of topics covered by Security (let's not forget our Physical Security either), but all would be expected to act as professionals. Professionals in this definition being people who are certified and expected to operate within specified standards of quality and behavior much like CISSP, CPA, MD, etc. * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Justice League » Blog Archive » Cigit al’s Touchpoints versus Microsoft’s SDL [Cigital ]
SC-L, I'm often asked by folks to compare and contrast some of the various published software security practices, from Microsoft's SDL and OWASP's CLASP through Cigital's "Touchpoint" processes. My own view is that they all offer value and are all worthy of consideration. In his most recent "Justice League" blog entry, Gary McGraw offers his own (obviously biased, as Cigital's CTO) comparison between their own approaches and Microsoft's SDL. You can read what he has to say at: http://www.cigital.com/justiceleague/2007/03/08/cigitals-touchpoints- versus-microsofts-sdl/ After recently reading Michael Howard and Steve Lipner's SDL book, I found a lot that I liked -- notably their discussions about testing. I admit that it largely changed my opinion about the value of (smart) fuzzing, for example. But how about others' experiences? I've found a lot of people feel comfortable with Microsoft's STRIDE / DREAD approaches because they're relatively light weight and an easy first step to take. Anyone here care to offer their own opinions and experiences? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What defines an InfoSec Professional?
The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply denotes someone who works to make things secure. You can't be secure with only application security any more than you can be secure with only firewalls or NIDs. The entire ecosystem and lifecycle must be risk managed and that is accomplished by security professionals. Each professional may have a specialty due to the breadth of topics covered by Security (let's not forget our Physical Security either), but all would be expected to act as professionals. Professionals in this definition being people who are certified and expected to operate within specified standards of quality and behavior much like CISSP, CPA, MD, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson Sent: Thursday, March 08, 2007 9:13 AM To: [EMAIL PROTECTED] Cc: SC-L@securecoding.org Subject: Re: [SC-L] What defines an InfoSec Professional? actually just the former. Robert Garigue characterized firewalls, nids, et al as good network hygiene. The equivalent of a dentist telling you to brush your teeth. An infosec pro needs much more depth than that. The model is charlemagne http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html -gp -Original Message- From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> Date: Thursday, Mar 8, 2007 10:27 am Subject: [SC-L] What defines an InfoSec Professional? If you have two individuals, one of which has been practicing secure coding= practices and encouraging others to do so for years while another individu= al was involved with firewalls, intrusion detection, information security p= olicies and so on, are they both information security professionals or just= the later? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What defines an InfoSec Professional?
actually just the former. Robert Garigue characterized firewalls, nids, et al as good network hygiene. The equivalent of a dentist telling you to brush your teeth. An infosec pro needs much more depth than that. The model is charlemagne http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_about_.html -gp -Original Message- From: "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> Date: Thursday, Mar 8, 2007 10:27 am Subject: [SC-L] What defines an InfoSec Professional? If you have two individuals, one of which has been practicing secure coding= practices and encouraging others to do so for years while another individu= al was involved with firewalls, intrusion detection, information security p= olicies and so on, are they both information security professionals or just= the later? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] What defines an InfoSec Professional?
If you have two individuals, one of which has been practicing secure coding practices and encouraging others to do so for years while another individual was involved with firewalls, intrusion detection, information security policies and so on, are they both information security professionals or just the later? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Information Protection Policies
Hopefully lots of the consultants on this list have been wildly successful in getting Fortune enterprises to embrace secure coding practices. I am curious to learn of those who have also been successful in getting these same Fortune enterprises to incorporate the notion of secure coding practices into an information protection policy and whether there are any publicly available examples. * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] STSC CrossTalk - Secure Coding Standards - Mar 2007
Greetings SC-Lers, Sitting here in the DHS Software Assurance forum today, I browsed a copy of the CrossTalk journal, "The Journal of Defense Software Engineering". This month's issue is focused on software security, and there are numerous articles in it that are likely to be of general interest to some of you. The journal has an RSS feed (http:// www.stsc.hill.af.mil/crosstalk/CrossTalk.rss) and all the articles are available for free on-line. This article by James Moore and Robert Seacord, http://www.stsc.hill.af.mil/crosstalk/2007/03/0703MooreSeacord.html, caught my eye in particular. Check it out. Neat stuff, for free. Cheers, Ken P.S. Some of you had reported problems with your emailers in reading my previously PGP-signed postings. I'm now experimenting with signing via S/MIME and a free X.509 certificate from Thawte. Those of you who reported the PGP problems to me (you know who you are), is this any better? Please reply off-list. - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___