PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Arian J. Evans
Sent: Wednesday, May 16, 2007 4:05 PM
To: SC-L@securecoding.org
Subject: Re: [SC-L] Darkreading: Secure Coding Certification
I don't understand this thread. These are different sets of issues. Often, they
are different sets of p
I don't understand this thread. These are different sets of issues. Often,
they are different sets of people. Organizational size is a factor. A
three-man startup is going to have a lot of hat overlap, where a monolithic
enterprise is going to have broad distribution of hats. The spirit of this
th
-
From: McGovern, James F (HTSC, IT) [mailto:[EMAIL PROTECTED]
Sent: Wednesday, May 16, 2007 03:08 PM Eastern Standard Time
To: SC-L@securecoding.org
Subject: [SC-L] Darkreading: Secure Coding Certification
Maybe the test shouldn't focus on code at all? If we can agree that
IT); 'SC-L@securecoding.org'
Subject: RE: [SC-L] Darkreading: Secure Coding Certification
Hi all,
I like this idea. There is plenty of non-code material to master in our
field. I think a bunch of it is covered in detail in "Software
Security"...but I am biased.
I would like to
> Maybe the test shouldn't focus on code at all? If we can agree that many
> flaws are found at design time even before code is written (Yes, most
> folks still use waterfall approaches but that is a different debate)
> then why can't questions occur at this level?
It was decided early on that th
Maybe the test shouldn't focus on code at all? If we can agree that many flaws
are found at design time even before code is written (Yes, most folks still use
waterfall approaches but that is a different debate) then why can't questions
occur at this level?
If we follow the trend of IT at larg
Lots of interesting points have been made about the SANS test in particular
and multiple choice certifications in general. I think that this, and no I
haven't seen the questions so I could be wide of the mark, are a pragmatic
step in the right direction. I agree that while this sort of exam can
ast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Johan Peeters
Sent: Saturday, May 12, 2007 6:11 AM
To: SC-L@securecoding.org
Subject: Re: [SC-L] Darkreading: Secure Codin
a bit
> more awareness.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
> [...] White list validation is the answer to everything except the
> difficult choices developers have to make and often get wrong.
> [...]
> (past,present,future) of the data is that single application? How do you
> test the ability for developers to make the best decisions in imperfect
>
ec.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Johan Peeters
Sent: Saturday, May 12, 2007 6:11 AM
To: SC-L@securecoding.org
Subject: Re: [SC-L] Darkreading: Secure Coding Certification
I agree that multiple choice alone is inadequate to test the true
ication? How do you
test the ability for developers to make the best decisions in imperfect
situations?
-Original Message-
From: Florian Weimer <[EMAIL PROTECTED]>
To: "Johan Peeters" <[EMAIL PROTECTED]>
Cc: "SC-L@securecoding.org"
Date: Sun, 13 May 2007
At 11:35 AM -0400 5/14/07, Greg Beeley wrote:
> Agreed in concept to the "no second-class citizens" idea. But I think
> the test needs to have a language-specific element to it. Every language
> and environment has unique pitfalls and security considerations. A
> developer who knows to avoid me
At 1:24 PM -0400 5/14/07, Steven M. Christey wrote:
> The current tests are designed to handle specific skills in specific,
> prominent languages. Other tests might come out as a result of demand.
So what are those languages ? Presumably not HTML.
At 8:04 AM -0400 5/12/07, ljknews wrote:
> A
On Sat, 12 May 2007, ljknews wrote:
> but based on biases I see on this list, I tend to believe that those
> who make such a certification scheme would bias it toward:
>
> Programming done in C and derivative languages (C++, Java, etc.)
>
> Programming relying on TCP/IP
>
> neither of
> 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT
> professionals such as those who work in large enterprises have no
> motivation to pursue.
>
> 2. The target price for the exams will be an impediment as many folks who
> can't get reimbursed for taking them will not bo
On Fri, 11 May 2007, Gary McGraw wrote:
> What do you think? Can we test someone's software security knowledge
> with a multiple choice test? Anybody seen the body of knowledge behind
> the test?
I've participated heavily in the development of the test by contributing
questions, giving guidanc
On Mon, 14 May 2007, McGovern, James F (HTSC, IT) wrote:
> 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT
> professionals such as those who work in large enterprises have no
> motivation to pursue.
"Only" vendors have jumped on the bandwagon? The software developers are
Subject: [SC-L] Darkreading: Secure Coding Certification
Hi all,
As readers of the list know, SANS recently announced a certification scheme for
secure programming. Many vendors and consultants jumped on the bandwagon. I'm
not so sure the bandwagon is going anywhere. I expl
* Johan Peeters:
> I agree that multiple choice alone is inadequate to test the true
> breadth and depth of someone's security knowledge. Having contributed
> a few questions to the SANS pool, I take issue with Gary's article
> when it implies that you can pass the GSSP test while clueless.
But I
> I agree that multiple choice alone is inadequate to test the true
> breadth and depth of someone's security knowledge. Having contributed
> a few questions to the SANS pool, I take issue with Gary's article
> when it implies that you can pass the GSSP test while clueless.
>
> There is indee
I agree that multiple choice alone is inadequate to test the true
breadth and depth of someone's security knowledge. Having contributed
a few questions to the SANS pool, I take issue with Gary's article
when it implies that you can pass the GSSP test while clueless.
There is indeed a body of knowl
At 11:17 AM -0400 5/11/07, Gary McGraw wrote:
> As readers of the list know, SANS recently announced a certification
> scheme for secure programming. Many vendors and consultants jumped
> on the bandwagon. I'm not so sure the bandwagon is going anywhere.
> I explain why in my latest darkreading
Hi all,
As readers of the list know, SANS recently announced a certification scheme for
secure programming. Many vendors and consultants jumped on the bandwagon. I'm
not so sure the bandwagon is going anywhere. I explain why in my latest
darkreading column:
http://www.darkreading.com/docume
24 matches
Mail list logo