R.I.P. CISSP
We all know about the CISSP. You’ve heard the whispered hallway conversations. You’ve seen the business cards, the email signatures, and the government contract requirements. You might even know the secret handshake, or have the magical letters attached to your name somewhere yourself.
Alternatively, you may despise what it has done to the IT security industry and community. I do not despise it, and while I embrace it in concept (I’m not a CISSP, by the way) – I have to agree that it has outlived its usefulness as a technical measure of capability. Special note: this is a very bad thing and it needs attention. No show of hands necessary.
Not all of the CISSP has been bad. It’s given our industry a way to measure strong analyst level skills with information security concepts. Some claim there are benefits in the CBOK and ethics charter — although these have been debated into nothingness over the years, with no innovations or improvements made. While some may argue that the CISSP was DOA, no one can dispute the fact that the CISSP’s ability to deliver is currently MIA.
Wait, you’re a CISA? Wait, you are a <insert other IT security certification here>? You’ll also want to read on because this is also referring to you.
Specialist or Generalist: Pick one. Woops, you’re too slow
I read Dan Geer’s keynote at SOURCE Boston a few weeks ago, and a few things hit me. Near the end, he says:
Only people in this room will understand what I am now going to say. It is this: Security is perhaps the most difficult intellectual profession on the planet. The core knowledge base has reached the point where new recruits can no longer hope to be competent generalists, serial specialization is the only broad option available to them.
Geer is right: security is hard. It’s also very intellectual. It brings a lot of ideas to the table.
Kevin Mitnick was doing his thing way before CISSP was around. It wasn’t until later that intellectual success (but possibly ethical failure) stories such as Adrian Lamo, who showed that expert-level penetration-testing can be done by a hacker-without-a-home, a simple (possibly even outdated by average technology standards) laptop, and a web browser.
The reason why Adrian Lamo was so good, the reason why this industry exists, and the reason why security products fail are all interlinking problems. The only people who stand to win are the people who cause the most damage. Security is about damage prevention. Which is why Ranum is probably right, although I guess that’s an argument for another time.
I sometimes (read: not often enough) work with a handful of people. Most are specialists — a world-renown secure code reviewer, one of the world’s best pen-testers (so I hear from even outside my organization), and an audit/framework/process guru. The generalists in our group (like myself) are a dying breed. I might also add that at least one of them is my age and brings an even broader skill-set and expertise to the table than I do. I consider myself very fortunate. Let me continue with this train of thinking by bringing us back to what Geer was saying about specialists vs. generalists:
Generalists are becoming rare, and they are being replaced by specialists. This is speciation inaction, and the narrowing of niches. In rough numbers, there are somewhere close to 5,000 various technical certifications you can get in the computer field, and the number of them is growing thus proving the conjecture of specialization […] will not stop.
Today, I want to continue in the spirit of The New School of Information Security, and claim that we don’t need expensive certification programs (i.e. products) that cater only to a certain kind of elite. We need to get back to basics.
IT Security certifications available to-date
You don’t need them; I don’t have them. Certifications breed specialization. We need more generalists. Don’t get certified and don’t pursue a certification.
Of the people that I work with, only the specialists have certifications. Note that the guy that is smarter than me (I asked him to provide input into this) — he doesn’t… and he says that the only certification that he was ever interested in through his career (I assume he’s been working in this industry for over 10-12 years like myself) was from SAGE. He says it’s no longer offered.
What is different about the OWASP People Certification Project
James McGovern wrote on his blog recently about this new project. In his blog post, Is it a bad thing that there are no IT security generalists?, he summarizes his points as follows:
As an Enterprise Architect, I understand the importance of the ability for a security professional to articulate risk to IT and business executives, yet I am also equally passionate that security professionals should also have the capability to sit down at a keyboard and actually do something as opposed to just talking about [it].
[…] If you are a skilled penetration tester, can write secure code and can reverse engineer software, you are worth more than any CISSP. For those who embrace the mental disorder of hybridism and distillation, balance between these two are needed where true IT security professionals understand both […]
Can we appease both the voracious business needs and the wrath of the unstoppable and ever-expanding security learning curve? Is the OWASP People Certification Project the program that can do this?
If James can truly make this sort of thing happen (and I truly believe he is doing it and that he can do it — based on everything I have seen so far), then I will do my best to ignore the obvious contradictions or annoyances — and put my full support behind it.
It’s not just James, either. Everyone I’ve met who has been involved in the OWASP project has been stellar. The OWASP organization has brought diverse people together in ways that DefCon/BlackHat, HOPE, Phrack, and many other grassroot efforts never could.
Will OPCP replace CISSP? Only time will tell, but I will tell you now that it indeed will. Wait and see.
Hmmm… Well, the CISSP was never really deisgned as a particularly technical cert, although for along time it was (is?) considered a good indicator of competence by a lot of HR and senior management types, which is the only reason I bothered to get one.
I’d argue that whether you need certs or not depends on what market you work in. For example, DOD directive 8570 requires certain certification levels in order to work in certain aspects of technical security, and many other .govs follow that directive as a guideline. IIRC, IAT-III requires a CISSP.
Many large companies also see certifications as indicators of “critical skills”, meaning that by attaining and maintaining certifications you’re more likely to get bigger raises every year.
I don’t know a whole lot about the OPCP, but from the OWASP page on it, it sure looks like a secure application design certification, which is not really what the CISSP is intended for, to begin with. Only one of the 10 domains were about secure applications, and I don’t think I even got tested on it.
@ Kris:
I think that as an analyst-only point-of-view, the CISSP is also missing the mark in today’s world for today’s needs.
Eventually, I think that DoD requirements, e.g. IAT-III will go on to replace the letters CISSP with OPCP. Many will keep CISSP, add OPCP; but many will also remove CISSP.
CISSP should have been designed with application security in mind, or it should have changed to support it. If all of the attacks are coming at this layer — and the program says nothing about them (instead choosing to focus their 10 domains on mostly other, unworkable solutions), then it’s a losing situation for CISSP.
The truth is that we may be on to something about specialization — specialization to how breaches occur. In other words, physical security is certainly important, but there are plenty of other programs to address this focus area.
What OPCP does is to add the analyst level skills with the down-n-dirty technical skills necessary to work on various problems facing modern IT security departments. This is a need that the CISSP (even with continued education, which is left unspecified) cannot today meet — in either area.
CISSP’s concepts of risk management are stuck in the ALE days. Vulnerability management concepts tested/trained involve pre-1996 concepts: before client-side buffer overflows that affect multiple operating systems, before stack protection (and other exploitation countermeasures), before AV and Enterprise agents became more of a target than the OS itself, and before the web even really took off. Certainly, the CISSP says nothing about secure coding and quality in security products or any software for that matter.
We all know about these problems, and the fact that the CISSP does not address them. OPCP will address them — it has the people and the power — as well as the momentum. Put it on your radar.
A thoughtful posting, points well made.
I’m a big fan of the infosec generalist - but my interests are guided by business interests as much as professional ones.
In our business for example, specialism is good but expensive. Not every piece of work needs particular specialism, and good all-rounders have the ability to learn and adapt quickly. Pure specialists can spend more time on the bench, waiting for their next engagement to appear.
In other words, it’s not just the world at large that needs generalists, it’s the infosec industry too.
What we absolutely *don’t* need is a new breed of Microsoft Certified Security Specialists.
@ Simon:
I wouldn’t mind having a few Microsoft Certified Security Specialists as long as their day job is as a developer. If the certification was for ASP.NET 3.5 or other Microsoft-only specific library, language, framework, or other development technology — then I’m all for such specialists.
I’m not so big on the ISA Server, Forefront, or other Microsoft “security products”. Microsoft sure spends a lot of time at TechEd and other places promoting these new “product” technologies, while their Securing Web Application courses, Writing Secure C# or VB .NET courses — and many others haven’t been updated in 5 or 6 years.
Even FxCop was the most recent secure coding tool to come out of Microsoft, without any significant updates for security since it was released.
The Microsoft Threat-Analysis and Modeling (TAM) tool, StyleCop, Pex, Guidance Explorer, the Anti-XSS Microsoft library, and XSSDetect are either:
1. Not well-known about enough (because they are never mentioned in any official Microsoft literature, especially training or certification programs), or
2. Not integrated with Visual Studio or even MSDN and TechNet
I am excited to see and hear more about Microsoft internal tools such as CISF, CAT.NET, FuzzGuru, and TAM-E. When the public will see them is anybody’s guess.
In many ways, Microsoft is the reason why OWASP exists, just as they are the reason that a lot of technology-isms exist. The inventors of OWASP now even work for Microsoft. While nobody fully trusts Microsoft because they move slow as a big company, I do think that they are best positioned to help people with certification, training, and solid industry-leading products or information.
I don’t believe that I’ve ever met a MCSE:Security certified professional before, although I have gone over the material for the courses and exams. I wasn’t really that impressed. The developer certifications are much better, which is why I think that they desperately need to update them.
This leaves me curious about what you do, too, Simon. Isn’t PCI compliance one of the worst forms of specialization out there in our industry? A QSA is a person, not even a company (yet people think it is), and they need all sorts of expensive training and prerequisites. I’d be curious to hear your thoughts on how the PCI SSC has approached training and certification of individuals.
That is a great question though — why do people assume that a QSA is a company and not a person? Could it have to do with the requirement that a QSA work for a QSAC? Or could it be that the industry doesn’t care about who/what rubber stamps them, only that the right PO’s get signed and approved in order to meet the deadlines?
Well, I have written an article in 2002 when the certification craziness was in the its highest spot (http://www.rtek2000.com/Good/Why_we_have_to_fight_with_hypes.pdf). If you spend 10 min to read the article you will understand my point regarding who particularly benefits from all 5000 existing certifications. It is still the case with some exceptions. I have been an employer and I am an employee, so I know both sides of job market. There are many cases when the certification is a big plus if you want to be hired for certain positions, and as much as I don’t like certifications I have to admit that I have few including CISSP that I got last year.
While I was learning the material for about 4 months, I got my horizon expanded. I learned about risk management, disaster recovery strategies, and cryptography. I know for sure that I would never touch those topics otherwise. The CISSP certification is intended mostly for managers who plan the security and risk management within their firms. It is not in any way a substitution for hands-on experience. In fact (and many folks know it) the CISSP certification is about two inches in depth knowledge about 10 CBK domains but two miles wide (a little bit about everything). So, we are talking about generalists here, not hands-on professionals - if you are talking about hands-on knowledge, it has nothing to do with it.
Why it became a popular certification? Mostly due to the good marketing by the ISC(2) marketing team. They were able to penetrate the DoD to make CISSP a standard for any security professional. All other vendors including CompTIA failed to reach such a degree of popularity.
I passed the exam to prove something to myself, and currently I have no benefits of having it in addition to $500 exam, and $85 yearly fees. But you’d be surprised that my resume with the magic letters attracted many job recruiters. The CISSP certification may bring some benefits to job seekers.
Feel free to look for CISSP certification resources at http://securecyber.blogspot.com
Confirmation bias is a tendency to search for or interpret new information in a way that confirms one’s preconceptions and avoids information and interpretations which contradict prior beliefs.
@ Roman (securecyber):
Great paper! I just finished reading; lots of cute anecdotes (I love the one about the guy with 70 certs! Crazy!).
OWASP is about risk management, too. There’s going to be lots of benefits to a certification program from OWASP… you’ll see. If you attend any of the local chapter meetings or conferences (or even simply spend a few minutes a day reading the website or lurking on the mailing-lists), you’ll come to see what I mean.
I don’t think OWASP is going to get carried away by the profit-making capabilities of the People Certification Project — however, it is exciting to talk about a strong source of income for what amounts to a non-profit, under-funded organization. Sometimes it’s nice to start from the primary goal to be something that gives instead of looking to collect on monies. In regards to OWASP, this defies the logic of your paper. Although marketing and all the rest certainly play into it. I think OWASP can compete (otherwise I wouldn’t be saying these things).
The OWASP People Certification Project will be all-inclusive, and it will be popular. I say it’s going to be even more than just those things — it’s going to set standards — probably THE standard (in the way that the CISSP has set the standard for many years now).
Also, you’d be interested in the economics side of training and certification programs. Check out the Wikipedia article on Instructional capital, it would make for a great reference in your paper. In some ways, it’s an approach of, “how well do people know what you do, and how much are they willing to pay to know without it costing you money?”. As you say in your paper, selling products for them by certifying them. I’m sure that the IT industry wasn’t the first to do this sort of thing (I’m thinking of guilds and unions), nor was Novell.
Speaking of Novell, I recall speaking to certified engineers/administrators in the late 1980’s. It appeared that Novell was teaching the disadvantages of TCP/IP networking and the Internet. Most Novell certified engineers thought that the Internet Protocol was going to run out of numbers by 1994. I guess CIDR and BGP-4 sure changed that end-result. Of course I say this as we’re running out of IPv4 space now, and it will probably be completely gone by 2010.
@ Dan Philpott:
Can you be more specific? I don’t think I understand what you’re trying to get to. If you disagree with something — this is an open forum. Feel free to point out what you like or don’t like so we can discuss it.
dre,
I think you make some good points about the field being far too expansive to allow technical generalists to exist, thereby making way for the rise of the specialist. I think this has substantial implications on how organizations implement security within their environment as well as related hiring decisions and warrants further exploration. However, I don’t see the support for your assertions regarding the death of CISSP (full disclosure, I have the cert) and especially OPCP replacing it.
As has already been discussed, CISSP is meant to be as general as possible. While I concur that technical generalists are less and less likely to exist as time goes on, there are many legitimate security positions within an organization that require a general awareness, not necessarily technical competence across the board. I think this is an important distinction – not all security professionals need to be able to execute a world-class pen test or review C code, etc. However, I feel very strongly that all security professionals should be able to understand the need and importance of such activities. That’s where a generalist certification retains its value.
CISSP never intended to demonstrate technical competence in all 10 domains. It simply intends to demonstrate a broad awareness and understanding of information security. I agree 100% that if one wants to market themselves as a technical security resource, the CISSP certification (or perhaps any certification) is not sufficient. Those same individuals should, however, be able to demonstrate an understanding of the inter-relationships of the various security fields; why the application security and physical security is just as important as the network security, etc. Thus, the value of the CISSP cert (or something equivalent).
None of us operate in a vacuum and to your point, the technical generalist is effectively extinct. From my perspective, our new-found interdependence is all the more reason that a generalist cert is more valuable in today’s environment than it ever was. It’s not the whole picture, but it’s a critical piece of the pie.
Well if you want a CISSP… check out the OWASP member offers for the discount code ;)
http://www.owasp.org/index.php/Member_Offers
Tom with a bunch of non-vendor and vendor certs… cause its its good to learn the way the mfg wants you to do it before you break it… and better to understand why its bad in the 1st place.
@ Rex:
OPCP is a generalist sort of certification, like the CISSP. It’s not for specialists. That’s the whole point of this post. OPCP, like CISSP, is meant to be as generalist as possible.
Now that I’ve set that straight, I think I would say that we agree on all of the points that you made.
@ Tom:
Thanks for the link! I had no idea that OWASP did this, what a great idea!
@dre
Actually, I have long felt that if there’s one place in the world where you can actually do something meaningful with infosec, it’s with developer education, rather than with product deployment. (I also think that people with development experience tend to make the best pen testers, but I digress.)
As for citing MCSE training - I used MS as a soft target. It has long been fashionable in security circles to bash MS, but in reality I think right now they have more hard-won security expertise than any other software company out there. Once they get round to teaching what they know, things will get interesting.
On the PCI front, let’s remember that security and compliance are not the same thing. The PCI-DSS is a set of minimum standards concerning payment card data, and not much else. In other words, if an organisation meets this minimum standard for card data and thinks this makes them “secure”, they are mistaken.
One quickly learns to wear either a PCI hat or a Security Consultant hat when answering questions. The answers are not always the same.
As many people know, PCI-DSS is divided in to 12 sections. It’s pretty broad, covering everything from web development to network segmentation to policies to 3rd party agreements and so on. So, whilst the application is specialised (Payment Card Data) the skills required to properly validate compliance against the standard are incredibly broad but often highly technical.
Therefore, I don’t agree that PCI represents “one of the worst forms of specialization out there in our industry”. From a practitioners perspective, it represents a requirement for high quality infosec generalists within a vertical application.
That’s always been my career advice (for those who are foolish enough to ask for it)… strive for breadth of experience, but don’t be afraid to maintain a couple of specialist skills in there too. How about that for general advice!
As for how the PCI-SSC selects individuals… well clearly I’m not going to speak for the Council. The entry requirements are available for inspection. Industry certs like CISSP count towards the assessment, as does experience and academic qualification. It’s a balance.
Anyway, enough rambling from me. I’m enjoying the discussion.
I don’t see what the big deal is, and honestly I would say medicine is still much harder than security.
In fact, the practice of medicine is a form of security that long predates the silly techno-centric info-security folks who think they face the only problem that matters.
I just went to a generalist for a check-up. He offered to refer me to a specialist for one issue. If there were other issues, I might go to other specialists. Not a big deal. The specialists are usually the one with certifications. That doesn’t bother me either.
I agree that we need more generalists. However it seems to me the answer is to revitalize the CISSP and recognize it as the generalist (12 domain) certification to which it originally aspired. I always expected the inflation of skills and specialization to diminish the value of CISSP (like a BA/BS diminishes a high school diploma). Not such a bad thing either.
@ dre,
Once again great post, well done.
I am not CISSP myself and i don’t find hard finding job. Professional, technical skills and knowledge is the best certification:)
Cheers
Shoaib
I work for the Department of Defense and have the CISSP, not only because it is a requirement, but because I take pride in my individual development as an Information Security Professional. I am also pursuing a Masters Degree in Information Assurance at Norwich University, which is one of the few NSA approved centers of academic excellence in the field of IA. I have a number of other IT/IS certifications also. It is all about individual development. Certifications and degrees are supposed to be complimentary. I know of quite a few individuals who have failed the CISSP at least 3 times in a row, which forced them to pursue certifications of lesser prestige. And of course after failing they have to put down the cert to justify their inability to succeed.
It’s always the ones who do not sacrifice what it takes to succeed in life that have to downplay the accomplishments of others. So what the CISSP is not as technical as some other certs. That is not its intent. They have concentration areas such as the ISSEP, ISSMP, ISSAP for that. And I challenge anyone to say that the technical knowledge required to pass one of their concentrations is a cake walk. You guys can listen to these clowns as much as you like, but the truth of the matter is that the CISSP remains the Gold Standard for Information Security Professionals. Now of days you can not get through the door to interview without it. Don’t listen to these clowns! The CISSP is not a Phd, but it still holds much heat!!
What happens when you have to compete with a guy that has tons of experience and the education and certs to tow?? You are done!
@dre, Being very straight forward here. I don’t really understand what are you trying to prove here by criticizing CISSP. CISSP covers all the general information security topics than OPCP will ever cover (if you stick to your plans given in the OPCP project page. CISSP covers disastor recovery, BCP, Physical security, network security, wireless network security etc etc etc… and looking at OPCP it will actually cover Application security only and a little bit about networks such as different layers of OSI.. isn’t it?
Please correct me if I’m wrong here, Idea of OWASP is to establish the sense of “Web application security” in the world so OPCP should be about certifying the professionals in the same area. and According to the OPCP project page, it seems that you are going in the right direction… but this certification can not be compared to CISSP. A security manager may need NOT to know how to design or code in SOA. where as he might need to know what BCP and disastor recovery is… the idea is to get a person certified in all the areas of security so that he can undersdtand and manage the certain specialists
@ Liquidman:
How familiar are you with OWASP or TS/SCI Security? Your comments indicate that you don’t have a lot of experience with either.
I am also pursuing a Masters Degree in Information Assurance at Norwich University, which is one of the few NSA approved centers of academic excellence in the field of IA
I have met people in the NSA approved centers for academic excellence from various universities. I am largely unimpressed with their programs, which are primarily based on network security. I met Marcin (my fellow blogger) when he was at UAT, also studying network security. It would be interesting for you to read some of his posts on this blog throughout the years to see how he’s changed over to application security.
I have a number of other IT/IS certifications also. It is all about individual development. Certifications and degrees are supposed to be complimentary.
Degrees are for university level research. Check out Dave Aitel’s recent paper on “Thinking Beyond the Ivory Towers” for more information.
I know of quite a few individuals who have failed the CISSP at least 3 times in a row, which forced them to pursue certifications of lesser prestige
I know where to go to get all of the real questions and answers for the CISSP exam, of which I could memorize and regurgitate at a Prometric center, where many people have been caught cheating.
… the truth of the matter is that the CISSP remains the Gold Standard for Information Security Professionals
I agree with this statement. Which is why I’m saying that the OPCP will be the future gold standard, leaving the CISSP in the dust.
@ SpikyHead:
Network security isn’t really a part of information security anymore. Physical security has also moved on to different pastures. If CISSP were re-written for 2010, there would only be 4 domains: social engineering, application security, software security, and data security.
… I don’t really understand what are you trying to prove here by criticizing CISSP
I’m not really criticizing it. I like the CISSP, as I even said. I just think that times are changing. I think that I know when to spot such trends, and this trend did catch me by surprise.
[OPCP] certification can not be compared to CISSP
A computer will never need more than 64K of RAM.
A security manager may need NOT to know how to design or code in SOA
Managers “manage” people; they don’t need to know anything else, theoretically. However, yes, I believe an average modern security manager should know how to allocate resources and measure those resources properly around secure design and coding issues (to probably include SOA).
where as he might need to know what BCP and disastor recovery is
Availability science is very 1971. AT&T and APC kind of figured this stuff out a very, very long time ago. It doesn’t really belong in the modern information security world, since it’s basically assumed into other roles.
BCP and DRP have very little to do with data breaches unless you count the fact that backup tapes get stolen quite a lot. However, that’s really a data security problem (DLP, file or disk encryption, etc).
the idea is to get a person certified in all the areas of security so that he can undersdtand and manage the certain specialists
I’m glad that we’re on the same page. This is exactly what my blog post was about.
dre, you stated:
Network security isn’t really a part of information security anymore. Physical security has also moved on to different pastures. If CISSP were re-written for 2010, there would only be 4 domains: social engineering, application security, software security, and data security.
Can you explain this further? At first glance I have no idea where you’re coming from on this…
@ Rex Booth:
Maybe I’m over-exaggerating a little bit. There are probably other areas to talk about besides just application/software/data.
However, network and system security have proven to not be useful over time. Many of us in this security community have never thought that these measures would help. We cited them a temporary solutions, or good control solutions until we have something better.
Well, it is possible to do better than network or system security today, but you have to work for it. This blog tries to talk about the ways in which this is possible with application/software security. Check out some of our recent posts over the past year or so. The Securosis blog has been posting for a long time about data security.
If firewalls fail because of client-side attacks (or attacks at the application layer), IDS/IPS fail because of evasion techniques or encryption (see the Newsham/Ptacek paper from 1998 which is still relevant today), Anti-Virus and Patch agents fail because they are vulnerable themselves or because their blacklisting signatures don’t work because of the prolific use of obfuscated Javascript to launch client-side attacks (e.g. heap spraying), and NAC can be subverted and used to attack the network or quarantined hosts in many other ways — then you should see that these methods have failed and are failing.
Also — I suggest reading the book, GEEKONOMICS, and checking out David Rice’s blog as well as the commentary we’ve had here on this blog.
@ dre:
After reading your post a funny thing happened on the way to the fisking response. The funny thing was that the posts entire argument seemed to resolve to the issue of confirmation bias. We were both looking at the same set of data but drawing alternate results based on the arguments we supported.
My thoughts on the matter are these:
The CISSP is a holistic approach to information security which offers the security professional a basis for understanding multiple security related bodies of knowledge. In a word, it is the security generalists certification. It focuses on providing the basis for managing security as a whole, not implementing a particular technology. It is based on the certification model where you need a working knowledge of a given set of information and then you are given an objective test on your working knowledge.
AFAIK the OWASP OPCP focuses on web application security. It is most likely very good at accomplishing this goal. However I do not know enough about it to comment on it (some links to source material would not go amiss). I think it is a technical certification focused on a narrow security field, web application security, which has a huge amount of complexity involved in secure implementation. As far as I am able to determine the OPCP appears to be based on a certification model where subjective assessment of a developers security capabilities are reported by employers.
So when you say that we need more security generalists and then dismiss the security certifications which deal with a general knowledge I find it odd. I am perplexed by the ending statement that the specialist certification (OPCP) will replace the generalist certification (CISSP). Aren’t these two completely different animals? Certainly the CISSP will be replaced eventually by something, but it’s unlikely that a web application security specialized cert will be the one to do it.
Do you mean perhaps that the OPCP certification model where subjective assessments by colleagues will replace the objective examination of skills? I can see a place for both models but both have their failings.
The objective skills test model itself is prone to the ‘paper certification’ problem where people who are good at passing tests and short term memorization can pass it. The CISSP is a modified version as it also requires adherence to a code of ethics and a five year employment history within the bodies of knowledge but even this doesn’t entirely compensate for the model’s known faults.
The subjective skills assessment model seems to me prone to a number of structural problems. (Are employers ever going to rate their programmers as anything less than ‘world class’ security gurus? What role will personal animosities play in application? How do you prevent the system being gamed by a social hacker?)
For the record I would disagree with James McGovern’s statement, “If you are a skilled penetration tester, can write secure code and can reverse engineer software, you are worth more than any CISSP.” The right CISSP, the right Penetration Tester, or the right Reverse Engineer is worth more than the wrong person in any of these classes.
@ Dan Philpott:
You have some very interesting comments. I really like the way that you think.
As far as the OPCP being a specialist certification — I am going to say that I don’t think it will be. Can it be both generalist, and at the same time specialized in web application security?
An unusual question might be — is OWASP a specialized area of security, or does it also take a holistic approach? I’m not sure that OWASP or the OPCP has anything especially too much to do with web application security, application security, or developers. If a strong majority of the talent in information security happens to also be a part of OWASP, then don’t these people have a lot more to say than what OWASP is represented by an acronym?
What does “International Information Systems Security Certification Consortium” really mean? Couldn’t I say “Universal Information Assurance Uber-Certification Conglomerate” (UIAUC^2), and just because I’m using superior English words, it makes the organization somehow better?
I think James McGovern and I do see the OPCP as a generalist certification, to be created by an organization that is not all about any single technology or motivated by only one way of thinking about breach or software risk. It’s not a narrow field if the people working in that field have expanded far further than where the CISSP has been taken.
The other stuff you wrote is way off, I never said anything about how the OPCP exams would work — however you have some really nice commentary on what “doesn’t” work.
I think you don’t understand what James McGovern wrote in “If you are a skilled penetration tester, can write secure code and can reverse engineer software, you are worth more than any CISSP”. Of course, getting the right person is more important — but after that, you need people on your team that can perform certain tasks: those of a pen-tester/reverser and those of risk management, writing security policies/plans, etc. He’s identifying which are more important skills to have when building teams of people.
@dre:
“network and system security have proven to not be useful over time. Many of us in this security community have never thought that these measures would help. We cited them a temporary solutions, or good control solutions until we have something better.”
I don’t agree here at all. Social engineering, application security, software security, and data security — sure great aspects of infosec, but leaving network security out of the picture is like saying that the Department of Transportation is now just going to let all roads in the US deteriorate with no maintenance because cars will just be built better to deal with the infrastructure.
I would have to say someone’s been sniffing glue if they said that network security will go away. It is in no way the end all or only solution (however many view it that way still today). You can’t tell me that firewalls haven’t been able to help protect you at some point over the years you’ve been using the Internet or that an IPS hasn’t dropped automated scans that may expose an unpatched vulnerability. The thing you’re missing is that it is *the* component all of the rest of your four topics ride on (sans the social engineering — but even in that facet circumvention a box via the network is the end goal).
I guess I’d have to call bluff and put a very hefty wager on the fact that network security will still be useful for as far out as I can tell… Why? Because you’ll never end up with 100% secure software, it’s not possible — there will always be an exploit of some sort.
When it comes down to it discounting network security to nothing is, in my personal view, arrogant — thinking you have enough control over the rest of the components warrant it unneeded.
What will happen, however, is that the network security technology that exists today will get better. It is the center of flack by bloggers — and yeah, we get it, you can preach all you want on it but that’s not the state of the industry. The state of the industry is that the majority of code going Internet facing is junk. Until interpreters / compilers can automatically filter all possible malicious logic there will be bad code written. Network security appliances will get better and be able to make deeper inspection decisions based on application layer information passing them. You may be shaking your head at this point but the thing you’re not taking into account is $$$. It’s cheaper for the majority of big business to buy a box that will do 80% of the work than it is to employ one excellent programmer who has a real understanding of network and security programming that can also implement the business logic. The majority of programmers are not, and will never be, in the niche security market. They don’t have an interest, therefore they won’t write clean code. Everybody doesn’t think like you, so there will always be a need for network security products to help fill the void.
Don’t get me wrong, what’s out there today is not all that great. But, would you drive over a bridge with no railings that was just wide enough for your car? Those railings might not stop a semi, but they’ll probably be strong enough to stop your car.
@ windexh8er:
By saying things like the following, it is clear to me that you would love the book GEEKONOMICS (referenced in an above blog comment). You definitely need to do some reading!
leaving network security out of the picture is like saying that the Department of Transportation is now just going to let all roads in the US deteriorate with no maintenance because cars will just be built better to deal with the infrastructure
Leaving network security out of the picture is not a new concept. I think the Jericho Forum has been talking about it for awhile. I haven’t read too much about them, but I suggest you check it out if you’re really concerned about preserving a future for network security.
You can’t tell me that firewalls haven’t been able to help protect you at some point over the years
Uh… Yes, I can. Let me see, in my first experience with commercial firewalls in 1996 (CheckPoint if you must ask), I was really pissed off at finding rootkits installed on my SPARC and x86 Solaris machines, even when I was using S/Key to login and su to root.
Then, when I got owned in 1997, I was even more pissed off to find out it was because of one user who wasn’t setup to use S/Key via SSHv2 (the other admin allowed her to do this because he thought she was cute). The guy who had a trojaned SSH on the machine that this girl logged in from had no problems finding a privilege escalation vulnerability and exploiting the trust relationships on our LAN to break into the firewall. The jokesters that followed him in also had no problem writing zeroes to our drives, so that data recovery was doubly problematic.
Finally, when I worked for very large companies, I was fascinated to find out that they did not even use firewalls, but that they were safer and happier without them. If you read my bio from somewhere, you can draw some more conclusions.
So, yes, firewalls seriously suck. In 2008, they don’t apply at all. All of the attacks come in from client-side exploits. All of these go right through firewalls.
you’ve been using the Internet
You are correct. I have been using the Internet. The Internet is made up of software, did you know that? The Internet exists because of software, were you aware of this fact?
that an IPS hasn’t dropped automated scans that may expose an unpatched vulnerability
Ok, I admit that network-based IPS has caused problems for penetration-testers who are hired to scan companies or other organizations for vulnerabilities. Can I get through them? Hell yes. Do hackers and organized crime get past both network-based and/or host-based IPS everyday for the past 20 years? Of course they have.
When it comes down to it discounting network security to nothing […] thinking you have enough control over the rest of the components warrant it unneeded
Yes, I don’t think that network security requires a lot (or much, if any) of time or effort. I don’t think we should spend time turning it off. However, budgets should be re-balanced. Sometimes this means moving a network-based IPS/IDS into a lab, or allowing costly firewalls, switches, routers, and IP telephony equipment to depreciate until they can be safely removed from the network (with early replacement or retirement happening as soon as possible).
you’re not taking into account is $$$. It’s cheaper for the majority of big business to buy a box that will do 80% of the work than it is to employ one excellent programmer who has a real understanding of network and security programming that can also implement the business logic
No, I’m definitely taking the money into account. I think the problems with security products — ESPECIALLY network security products, or “security appliances” is that the only people taking the money into account are the vendors selling this bloatware — this snake-oil. I also suggest that you read “The New School of Information Security” based on these comments. Let’s look at breach data to determine where the problems are coming from and where and how to apply spending. Sure, every company is different — but I’d almost universally take half of the network security budget and dump it on application and data security from any given company around the globe.
The majority of programmers are not, and will never be, in the niche security market. They don’t have an interest, therefore they won’t write clean code
That’s why things like integration unit testing, aspect-oriented programming, and dependency injection will replace the need for information security and network security experts (and especially non-experts!) alike. Of course, projects like OWASP ESAPI are already helping programmers forget about security problems and increase their bonuses due to “helping out with application security and software risk issues”. Ask any developer for any company on Wall Street.
there will always be a need for network security products to help fill the void
I think that’s all network security products do well is fill voids.
would you drive over a bridge with no railings that was just wide enough for your car? Those railings might not stop a semi, but they’ll probably be strong enough to stop your car
The broken window problem applies to the software, not to the network. Of course, the network is made of software!
I can see your side of the argument. The problem, from my perspective, is that most of it is very bleeding edge.
I also didn’t say that firewalls, IPS, NAC, whatever your box may be can’t be circumvented. Yes, I realize that everything *is* software. However your tone seems to imply that unit testing, aspect-oriented programming, and dependency injection are the holy grail of software security.
My point is that a layered approach, albeit an old concept, is not always bad. Software on a backend system may be vulnerable to X, while a network security device written in Y is not. Let’s just say for a second that Y is, at the time X is vulnerable, a safe platform. Why is it so bad to have a particular defense in the mean time?
I agree with you that most network appliance vendors charge ridiculous fees for their overly unintuitive and hastily maintained product. I do, however, think it can get better — and it will.
I’ll also definitely check out your recommended reading — no, I haven’t read any of the books you mentioned so maybe I can get a better insight of where you’re coming from.
All in all you usually have some great articles — but was surprised at the tone of your retort. I think I could have done a better job of wording my angle… But anyway…
@ windexh8er:
I think I’m going to do a post (or write a book) on how integration unit testing, aspect-oriented programming, and dependency injection are the holy grails of software security. Thanks for the allegory!
I don’t think this stuff is bleeding edge, but I guess I could understand how other people could see it as that. I’ve been told it’s bleeding edge before (actually, I’ve been told, “that’s too bleeding edge” during most of my career). I’ve also been told it’s “too academic” a lot.
Many people are not aware that SQL injection came out in 1998. That was ten years ago. Others have no clue that XSS was around in 2001, or seven years ago. Some know that the buffer overflow has been well-documented since 1995, but that we first saw use of it in 1988 with the Morris worm. Bart Miller found various kinds of overflows and other security properties when he invented fuzz testing in 1989. Surely, there were others that did research before these times, but we can trace the history of software security back to these specific points without much argument.
I do, however, think it can get better — and it will
Have you thought about investigating research and time into building your own network appliances? For example, in the book, “Linux Networking Cookbook” from O’Reilly Press, the author, Carla Schroder, goes into detail about booting Pyramid Linux on a variety of embedded hardware devices that utilize CF or Disk-on-Module drives.
She even demonstrates how to use WPA2-Personal with HostAP to provide per-machine keys, which can be better/safer than WPA2-Enterprise in my opinion. I do understand that some architectures (e.g. Cisco IOS, Juniper Networks JunOS) have superior technology in their software (e.g. CEF). Aruba Networks does an outstanding job with WiFi security, but I guess I remain skeptical about vendors and closed-source products unless I know to what level of detail they test their products with modern, full-knowledge vulnerability assessment techniques.
To be honest, I’d be really interested to hear where you think Network security is going. If there are innovations and improvements to be made (and I have my short list of things that I’ve wanted for years), then we’d love to hear them. Or point me towards the research. I referenced a few interesting papers in Bejtlich’s post on NSM vs Encrypted Traffic Revisited.
However, some of these `network security’ innovations are really `application security’ innovations. Some of the defenses look like they are being performed on the network when really they are being done as close to the application as possible. For example, CORE GRASP and Fortify Defender are considered “web application firewalls”, but really they are something completely different.
@dre
I would definitely be interested in the post on software security. Most of my misunderstanding is probably because I mainly dabble in things like Python and Ruby to get things done. A little bit of Objective C — but I’m not a day to day programmer.
I have actually built plenty of network appliances based on Linux and BSD. I think the grey area of an “appliance” in enterprise is interesting. The fact that if it doesn’t comes installed with Windows and comes with a “specialized” OS with support from a vendor really makes it an “appliance”. I’ve run into customer issues many times wherein I’ve deployed network monitoring based on Linux, but when it came down to actually validating it as a network appliance the customer would state that they need a real one. Real what? They would state they actually needed to buy an appliance from a vendor for it to be kosher. So — fine, go buy a Cisco 4260 IPS and we’ll just use the chassis. This is something that most vendors (that I’ve run across) have a hard time dealing with or understanding. Maybe it’s because they want to make sure they have support after a given consultant leaves the premises — because they don’t have any expertise in house. Keep in mind that a lot of Fortune 50/100 clients I’ve been at have little to no *NIX experience directly in their security / infrastructure departments. Scary…
To sum it up, I’m not a person who likes recommending overpriced products when a free / better alternative exists out there. It’s hard when you walk into a Cisco centric shop and try to push something else.
The interesting thing is that I previously worked for a large government defense contractor. In which it was much easier to get home grown appliances in to programs — mostly based on embedded Linux. This particular contractor probably saw the value because they would routinely query us for in house training around embedded systems. Two vital sensors for our programs were deployed running open source operating systems. I won’t say that getting the code review done was a pleasant or easy experience, but in the end the customer was very happy.
I think network security is definitely a mix of what you’ve stated — but, obviously, from my perspective network appliances are hard to get rid of. Take the data center for example. One of the problems you’ll run into quickly is port density. There’s no PC chassis out there today that will be able to handle 300+ Gigabit interfaces. If the platform were to exist it probably wouldn’t be as extensible in terms of pure networking performance.
Cisco, as an example, for the most part is leveraging Linux for a lot of it’s products now. So they definitely understand the advantages of using the platform. The problem is Cisco, from what I’ve seen, does a horrid job of integration — they base these appliances off of common distributions. Why would I ever need a full blown distro of Fedora running my NAC appliance? Sure they hacked out a few things, but a lot of the original base still exists… So I could instead run PacketFence to a client, but then when they ask for 24/7/365 support with hardware and configuration where do they go? It’s not that I’m not a proponent of deploying open source — I really am — but it’s just the logistics of spinning it in the right place at the right time.
Where is it going? Well I hope better security of these devices is getting better from the core of the product — the software. The only problem I see with this is companies, again, like Cisco like to acquire junk just to fill product role voids. Then they bring it in house and don’t seem to fix it because it’s a product that works and something they can rebrand and instantly start to make revenue on.
So, today, I think we’re heading down the path filled with a lot of entropy right now. The big players are going to make a lot of mistakes — but the products will improve as the knowledge and understanding internally at companies improve. That, to me, is the obvious first step. It’s just going to take time to displace the old hats that really have no interest in doing things any different. Maybe it’s a Baby Boomer / Gen X / Gen Y deal, or maybe it’s a vendor lock-in comfort level. I’m really surprised at how many people, in the industry, don’t follow open source at all. Even just educating themselves about it through feeds, blogs, whatever…
So to start, I think a better understanding needs to happen. Followed by a push-back towards vendors demanding better products or using custom solutions in retort.
Do you find it hard to help customers understand when you’re discussing application security that it applies directly to the network? If I were to try and discuss ‘application security’ with my current client in reference to some of the ‘network security’ platforms they would probably think I fell off the rocker. :)
I’d like to see the CISSP’s replacement not completely be yet another multiple choice test. All that OWASP brainpower should be able to come up with a scalable practical exam.
Great post that has stirred a lot of discussion. I commend you on an interesting topic. While a disagree with some of your conclusions and statements (see below). I like the idea of a certification within the secure coding area and OWASP is a great organization to do it.
Statements:
1) CISSP had outlived its usefulness as a technical measure of capability.
CISSP was never intended as a technical measure of capability. CISSP is a statement about a security professional that he/she understands a set of common prinicples, practices, and a vocabulary. Thus CBK. Think of it this way. If I meet you across a table at a business meeting and your card says “CISSP” on it, then I know that I can use terms such as ‘two-factor’ authentication and you will understand priciples such as separation of duty. A CISSP cert is simply a statement that we both have a common body of knowledge upon which to begin our discussion. A CISSP has never been a statement of technical capability.
2) No innovations or improvements made.
Right on! I totally agree with this comment. ISC2 has done a poor job evolving the CBK. Moreover, ISC2 has done an incredibly poor job publishing the details of the CBK (on the order of the PMBOK).
3) CISSP ability to deliver is MIA.
Deliver what? Perhaps if you beleive that CISSP was supposed to be a mark of how “security smart and capable” someone is.
4) Certifications breed specialists - we need more generalists.
I can’t agree with this. Some certifications can breed specialists; vendors certs is one good example. But the CISSP certification as well as the CISA certification is a general certification within the security and IS auditing professions.
Now while we are at it. The OWASP cert (as proposed) IS a specialist certification. You seem to disagree with this (as in your earlier responses). But clearly web application security is a specialty within the information security profession.
5) I know where to go to get all of the real questions and answers for the CISSP exam, of which I could memorize and regurgitate at a Prometric center.
This is just plain wrong. The CISSP never has and never will be offered at a prometric center for precisely the reason you state.
6) OPCP is a generalist sort of certification.
Err. How? Web application security is a specialty within information security. or a specialty within applicaiton development. But it certainly is not a generalist certification.
Overall. I understand the need for the OWASP inspired certification and applaud the effort. However, I don’t understand the need to knock other certifications. This is not a zero sum game. You do not need to get rid of one cert to gain another. They can both co-exist.
Need for certificaitons. You seem content (or proud) not to have any certifications. I certainly agree that you probably don’t need them in your current position and obtaining one would not make you smarter but consider the following need for certifications:
a) looking for a job in the information security field. Unless you have a reputation and/or a great network you will not be able to get a job without certifications such as CISSP or CISA. A very small fraction of the information security workforce has a reputation (good) and/or a strong network.
b) proposing your services to customers. You or your compnay is likely to get asked the certification level of your engineers. Like it or not, the customer will ask. It makes business sense to be able to demonstrate you have these certs. It really doesn’t matter what you think about them here, it matters what the potential customer expects.
c) the “certification” that I believe is my biggest asset is my business experience knowledge. Personally, I list my MBA right next to my CISSP and CISA.
@ Doug Landoll:
If I meet you across a table at a business meeting and your card says “CISSP” on it, then I know that I can use terms such as ‘two-factor’ authentication and you will understand priciples such as separation of duty. A CISSP cert is simply a statement that we both have a common body of knowledge upon which to begin our discussion. A CISSP has never been a statement of technical capability
Let me re-phrase this. “CISSP had outlived its usefulness as a statistical measure of analyst capability.”
I totally agree with this comment. ISC2 has done a poor job evolving the CBK. Moreover, ISC2 has done an incredibly poor job publishing the details of the CBK
This is not to say that the work that they have done is invalid or wrong. The original CBK was neat, and I know that people have put work into over time (it’s not like ISC2 only worked on this once and has been milking it ever since). Good commentary so far.
Deliver what? Perhaps if you beleive that CISSP was supposed to be a mark of how “security smart and capable” someone is
Well, in some ways — I think it would be nice if it could gauge the terminology in use (isn’t that what the CBK is supposed to do?). As a requirement — the CISSP or any cert like it — must test the analyst level skills typically needed to maneuver around industry constructs and concepts.
Certifications breed specialists - we need more generalists.
I can’t agree with this. Some certifications can breed specialists
You definitely have this part correct, especially about CISA and CISSP. What I meant to say is that “5000 certifications breed specialists”… Sorry that came out wrong.
This is just plain wrong. The CISSP never has and never will be offered at a prometric center for precisely the reason you state
I think you might be a bit short-sighted in this argument. It may not be offered at Prometric centers, but it might as well be. If you don’t believe me when I say it’s a simple matter of memorizing the test answers (and that cheating is well and alive), then I suggest you do some Google hacking to find out the truth.
How? Web application security is a specialty within information security. or a specialty within applicaiton development. But it certainly is not a generalist certification.
Overall. I understand the need for the OWASP inspired certification and applaud the effort. However, I don’t understand the need to knock other certifications. This is not a zero sum game. You do not need to get rid of one cert to gain another. They can both co-exist
OWASP means what? ISC2 means what? I don’t understand how ISC2 is allowed to have a generalist security certification, but OWASP is not? Why is OWASP not allowed to have one? Because of their name? What’s in a name?
The OPCP will not be just about secure coding. I wish people would understand this — it’s basically the one point that I’m trying to make.
I agree that CISSP and OPCP will co-exist. However, I do think that OPCP (or something else very much like it) will start to replace the letters CISSP — especially when it comes to prestige or possibly things like government requirements. As I said, you’ll see…
proposing your services to customers. You or your compnay is likely to get asked the certification level of your engineers. Like it or not, the customer will ask. It makes business sense to be able to demonstrate you have these certs. It really doesn’t matter what you think about them here, it matters what the potential customer expects
You’re the first person who has brought up this point (and like most of your points — it’s a really good one). There is speculation into how much things really counts for. I’m sure that there have been plenty of bids for contracts where a non-CISSP won over a CISSP. However, it definitely helps and provides confidence for both you and your client. I’m hoping that this will be one of the benefits to the OPCP as well.
@dre
Just a quick follow up… It’s an interesting listen on the Security Roundtable podcast about how the Jericho forum is not recommending an end to firewalls…
http://www.securityroundtable.com/2008/06/12/security-roundtable-for-june-2008-clarion-call-of-the-jericho-forum/
I found this site very interesting and up until now I was not aware that OWASP existed. I think this may be my loss. I have read various opinions regarding the validity of the CISSP. I am a CISSP and I am a member of the local chapter of the Information Systems Security Association (ISSA) in Colorado Springs. We are over 300 members strong and our security specialties vary on a broad level. I would like to see a member of the Denver OWASP attend one of our meetings. I think we could learn a lot, perhaps from each other.
As for the CISSP, it’s a general Information Security certification in very broad IS field. There are security specialties in almost every IT area all shouting that theirs is better than anyone else. I feel that if IT Security is part of your career goals, you should pursue it and pick where and what you choose to specialize in. There is no one “silver bullet” in IT security just a good overall knowledge and a focused specialized knowledge. I think the OPCP may be worth looking into. The security standards of the future might be. CISSP-OPCP or CISSP-ISSEP or CISSP-(whatever tickles your security fancy)
Good Luck to all.
Patrick