The same would be true of network security. It isn’t sufficient, but neither is it needless. It boils down to the “make the thief go to the next guy” issue. Someone who is targeting you can break through, but you should have a better chance making the “other guy” a more appealing target.

By this same standard application security is almost certain to remain a failure as well. I predict we will still have many disconcerting application security flaws in 20 years (or more), regardless of what we do now.

It is kind of like medicine – solving one disease just gives room for the next one to come about. This could lead to a “why bother” attitude, but I am not there, at least not yet.

On the subject of certifications: I have been pursuing my SANS ones largely because I decided they were interesting. They also have lots of good information in them and helped me come up to speed fairly quickly in information security after 20+ years focusing on development. Others may exploit them, but I will certainly use them to “sell myself” as I do my degree from Illinois, work experience and anything else I think I can use to get ahead.

I see it more as giving the customer (whoever wants to hire me, as an employee or on contract) what they may want. If you were my target, I wouldn’t push them, but others like them. Whether they are really accurate is somewhat irrelevant since they will remain a “feel good” point for some. This may or may not be fair or accurate, but it is what it is.

Finally, you degrade the value of BCP, risk, etc. I am convinced that ultimately understanding the general issues, especially items related to risk, is the most important key to success in information security, including in the area of application security. You are not going to get executive buy-in without clearly presenting things in these terms. While you may not need to design a BCP, having no idea what it is a definite detriment.

It is hard enough to get management to fund and devote time to this effort, understanding the more business-focused things like ALE is much more important in the real world.

Of course, my experience may be off, but this seems like more of an academic argument of its own.

Brad

Good question, and one that I’ve put a lot of thought into.

No IT certification has any record of extensive validation. I have met several clueless CCIEs throughout my career.

If I were to educate DoD personnel and prepare them for a more rigorous and validated certification plan using today’s standards (DoD 8570.01-M), I would suggest CISA or CISM over CISSP (where appropriate) and CERT CSIH over any SANS certification including GSE. Only the IASAE track appears to require CISSP or ISC2 certs.

I’ve spoken several times in several places about what I think really matters to application and data security… and it’s all in the smaller boutique shops today (no, not IOActive or InGuardians). You have ISVs and Global 200 completely ignoring serious risks to their applications and data simply because they can’t hire enough experts, or learn how to train their own.

There was a thread on the Security Focus pen-test mailing-list that covered a few of these shops. More recently, there was a thread on the securecoding mailing-list for “Online Secure Development Training”. Toppling the list were HP ASC, Aspect Security, The Denim Group, Security Innovation, Cognitive Core, SkillTube, and Microsoft (especially the ACE team which provides external services including SDL-IT and training).

As far as certifications go, I’ve only seen the HP ASC WebInspect cert (Prometric exam: HP0-M25) and the Fortify certification. Both of these are new, since the start of the 2009, so the level of validation is bound to be very low until these programs mature.

ISC2, SANS, and Security+ certifications utilize low-to-no validation in 2009 and they are massively out-of-date for any [also out-of-date?] regulatory requirements. My opinion is that you avoid them and utilize some of my suggestions if you find them helpful.

what certification in your opinion would add depth-ccie?

Wish you all the best.

(ISC)2 pitches the CISSP as a certification of “professionals,” hoping to measure up to other “professional” licenses like the CPA, CFP, etc. I obtained my CISSP very early in my career as a way to show my commitment to the field and continued self-development. I knew that having a “hands-on” conversation about Solaris security would get me more respect when talking with Unix admin than those five letters, but I also knew the cert was important to the pointy-heads. (I wanted to be able to work with both types, as well as everyone in between.)

As a hiring manager, a CISSP shows me someone is committed enough to put the time/effort/money to get it — that’s it. It’s a measure of professionalism. S/he can still be a clown, but that’s why I ask questions during an interview. Sure — some recruiters and people managers may spin it as a tech cert — but that doesn’t make it so.

I had my ISSEP and ISSAP for awhile, until I decided it wasn’t helping my resume and my employer wasn’t reimbursing the fees. I recently got my CEH — only because it was a “standard” set by my employer. Sure, the CEH has huge problems, but it was an easy cert to get and didn’t cost me anything. And now that I have it, I can use my experiences with the exam and EC-Council to point out the shortcomings, instead of just whining about “how much it sucks and why I don’t wanna take it.”

Certs don’t make you smarter. For employees, certs are another way to game the screening and interview process and one way to show continued development. For people managers, they are one way to set goals to measure commitment — especially for more junior people.

I wish James et al. all the luck in the world with OPCP, and I’m sure we’ll see a number of new infosec certs over the next several years. But having smart people and reputable organizations stand behind the cert isn’t going to motivate me to get it. I’ll get a cert if it will 1) help me get the job I want or 2) keep the job I love.

As for the CISSP, it’s a general Information Security certification in very broad IS field. There are security specialties in almost every IT area all shouting that theirs is better than anyone else. I feel that if IT Security is part of your career goals, you should pursue it and pick where and what you choose to specialize in. There is no one “silver bullet” in IT security just a good overall knowledge and a focused specialized knowledge. I think the OPCP may be worth looking into. The security standards of the future might be. CISSP-OPCP or CISSP-ISSEP or CISSP-(whatever tickles your security fancy)

Good Luck to all.
Patrick

Just a quick follow up… It’s an interesting listen on the Security Roundtable podcast about how the Jericho forum is not recommending an end to firewalls…

http://www.securityroundtable.com/2008/06/12/security-roundtable-for-june-2008-clarion-call-of-the-jericho-forum/

If I meet you across a table at a business meeting and your card says “CISSP” on it, then I know that I can use terms such as ‘two-factor’ authentication and you will understand priciples such as separation of duty. A CISSP cert is simply a statement that we both have a common body of knowledge upon which to begin our discussion. A CISSP has never been a statement of technical capability

Let me re-phrase this. “CISSP had outlived its usefulness as a statistical measure of analyst capability.”

I totally agree with this comment. ISC2 has done a poor job evolving the CBK. Moreover, ISC2 has done an incredibly poor job publishing the details of the CBK

This is not to say that the work that they have done is invalid or wrong. The original CBK was neat, and I know that people have put work into over time (it’s not like ISC2 only worked on this once and has been milking it ever since). Good commentary so far.

Deliver what? Perhaps if you beleive that CISSP was supposed to be a mark of how “security smart and capable” someone is

Well, in some ways — I think it would be nice if it could gauge the terminology in use (isn’t that what the CBK is supposed to do?). As a requirement — the CISSP or any cert like it — must test the analyst level skills typically needed to maneuver around industry constructs and concepts.

Certifications breed specialists – we need more generalists.

I can’t agree with this. Some certifications can breed specialists

You definitely have this part correct, especially about CISA and CISSP. What I meant to say is that “5000 certifications breed specialists”… Sorry that came out wrong.

This is just plain wrong. The CISSP never has and never will be offered at a prometric center for precisely the reason you state

I think you might be a bit short-sighted in this argument. It may not be offered at Prometric centers, but it might as well be. If you don’t believe me when I say it’s a simple matter of memorizing the test answers (and that cheating is well and alive), then I suggest you do some Google hacking to find out the truth.

How? Web application security is a specialty within information security. or a specialty within applicaiton development. But it certainly is not a generalist certification.

Overall. I understand the need for the OWASP inspired certification and applaud the effort. However, I don’t understand the need to knock other certifications. This is not a zero sum game. You do not need to get rid of one cert to gain another. They can both co-exist

OWASP means what? ISC2 means what? I don’t understand how ISC2 is allowed to have a generalist security certification, but OWASP is not? Why is OWASP not allowed to have one? Because of their name? What’s in a name?

The OPCP will not be just about secure coding. I wish people would understand this — it’s basically the one point that I’m trying to make.

I agree that CISSP and OPCP will co-exist. However, I do think that OPCP (or something else very much like it) will start to replace the letters CISSP — especially when it comes to prestige or possibly things like government requirements. As I said, you’ll see…

proposing your services to customers. You or your compnay is likely to get asked the certification level of your engineers. Like it or not, the customer will ask. It makes business sense to be able to demonstrate you have these certs. It really doesn’t matter what you think about them here, it matters what the potential customer expects

You’re the first person who has brought up this point (and like most of your points — it’s a really good one). There is speculation into how much things really counts for. I’m sure that there have been plenty of bids for contracts where a non-CISSP won over a CISSP. However, it definitely helps and provides confidence for both you and your client. I’m hoping that this will be one of the benefits to the OPCP as well.

Statements:

1) CISSP had outlived its usefulness as a technical measure of capability.

CISSP was never intended as a technical measure of capability. CISSP is a statement about a security professional that he/she understands a set of common prinicples, practices, and a vocabulary. Thus CBK. Think of it this way. If I meet you across a table at a business meeting and your card says “CISSP” on it, then I know that I can use terms such as ‘two-factor’ authentication and you will understand priciples such as separation of duty. A CISSP cert is simply a statement that we both have a common body of knowledge upon which to begin our discussion. A CISSP has never been a statement of technical capability.

2) No innovations or improvements made.

Right on! I totally agree with this comment. ISC2 has done a poor job evolving the CBK. Moreover, ISC2 has done an incredibly poor job publishing the details of the CBK (on the order of the PMBOK).

3) CISSP ability to deliver is MIA.

Deliver what? Perhaps if you beleive that CISSP was supposed to be a mark of how “security smart and capable” someone is.

4) Certifications breed specialists – we need more generalists.

I can’t agree with this. Some certifications can breed specialists; vendors certs is one good example. But the CISSP certification as well as the CISA certification is a general certification within the security and IS auditing professions.

Now while we are at it. The OWASP cert (as proposed) IS a specialist certification. You seem to disagree with this (as in your earlier responses). But clearly web application security is a specialty within the information security profession.

5) I know where to go to get all of the real questions and answers for the CISSP exam, of which I could memorize and regurgitate at a Prometric center.

This is just plain wrong. The CISSP never has and never will be offered at a prometric center for precisely the reason you state.

6) OPCP is a generalist sort of certification.

Err. How? Web application security is a specialty within information security. or a specialty within applicaiton development. But it certainly is not a generalist certification.

Overall. I understand the need for the OWASP inspired certification and applaud the effort. However, I don’t understand the need to knock other certifications. This is not a zero sum game. You do not need to get rid of one cert to gain another. They can both co-exist.

Need for certificaitons. You seem content (or proud) not to have any certifications. I certainly agree that you probably don’t need them in your current position and obtaining one would not make you smarter but consider the following need for certifications:

a) looking for a job in the information security field. Unless you have a reputation and/or a great network you will not be able to get a job without certifications such as CISSP or CISA. A very small fraction of the information security workforce has a reputation (good) and/or a strong network.

b) proposing your services to customers. You or your compnay is likely to get asked the certification level of your engineers. Like it or not, the customer will ask. It makes business sense to be able to demonstrate you have these certs. It really doesn’t matter what you think about them here, it matters what the potential customer expects.

c) the “certification” that I believe is my biggest asset is my business experience knowledge. Personally, I list my MBA right next to my CISSP and CISA.