(ISC)2 pitches the CISSP as a certification of “professionals,” hoping to measure up to other “professional” licenses like the CPA, CFP, etc. I obtained my CISSP very early in my career as a way to show my commitment to the field and continued self-development. I knew that having a “hands-on” conversation about Solaris security would get me more respect when talking with Unix admin than those five letters, but I also knew the cert was important to the pointy-heads. (I wanted to be able to work with both types, as well as everyone in between.)

As a hiring manager, a CISSP shows me someone is committed enough to put the time/effort/money to get it — that’s it. It’s a measure of professionalism. S/he can still be a clown, but that’s why I ask questions during an interview. Sure — some recruiters and people managers may spin it as a tech cert — but that doesn’t make it so.

I had my ISSEP and ISSAP for awhile, until I decided it wasn’t helping my resume and my employer wasn’t reimbursing the fees. I recently got my CEH — only because it was a “standard” set by my employer. Sure, the CEH has huge problems, but it was an easy cert to get and didn’t cost me anything. And now that I have it, I can use my experiences with the exam and EC-Council to point out the shortcomings, instead of just whining about “how much it sucks and why I don’t wanna take it.”

Certs don’t make you smarter. For employees, certs are another way to game the screening and interview process and one way to show continued development. For people managers, they are one way to set goals to measure commitment — especially for more junior people.

I wish James et al. all the luck in the world with OPCP, and I’m sure we’ll see a number of new infosec certs over the next several years. But having smart people and reputable organizations stand behind the cert isn’t going to motivate me to get it. I’ll get a cert if it will 1) help me get the job I want or 2) keep the job I love.

As for the CISSP, it’s a general Information Security certification in very broad IS field. There are security specialties in almost every IT area all shouting that theirs is better than anyone else. I feel that if IT Security is part of your career goals, you should pursue it and pick where and what you choose to specialize in. There is no one “silver bullet” in IT security just a good overall knowledge and a focused specialized knowledge. I think the OPCP may be worth looking into. The security standards of the future might be. CISSP-OPCP or CISSP-ISSEP or CISSP-(whatever tickles your security fancy)

Good Luck to all.
Patrick

Just a quick follow up… It’s an interesting listen on the Security Roundtable podcast about how the Jericho forum is not recommending an end to firewalls…

http://www.securityroundtable.com/2008/06/12/security-roundtable-for-june-2008-clarion-call-of-the-jericho-forum/

If I meet you across a table at a business meeting and your card says “CISSP” on it, then I know that I can use terms such as ‘two-factor’ authentication and you will understand priciples such as separation of duty. A CISSP cert is simply a statement that we both have a common body of knowledge upon which to begin our discussion. A CISSP has never been a statement of technical capability

Let me re-phrase this. “CISSP had outlived its usefulness as a statistical measure of analyst capability.”

I totally agree with this comment. ISC2 has done a poor job evolving the CBK. Moreover, ISC2 has done an incredibly poor job publishing the details of the CBK

This is not to say that the work that they have done is invalid or wrong. The original CBK was neat, and I know that people have put work into over time (it’s not like ISC2 only worked on this once and has been milking it ever since). Good commentary so far.

Deliver what? Perhaps if you beleive that CISSP was supposed to be a mark of how “security smart and capable” someone is

Well, in some ways — I think it would be nice if it could gauge the terminology in use (isn’t that what the CBK is supposed to do?). As a requirement — the CISSP or any cert like it — must test the analyst level skills typically needed to maneuver around industry constructs and concepts.

Certifications breed specialists - we need more generalists.

I can’t agree with this. Some certifications can breed specialists

You definitely have this part correct, especially about CISA and CISSP. What I meant to say is that “5000 certifications breed specialists”… Sorry that came out wrong.

This is just plain wrong. The CISSP never has and never will be offered at a prometric center for precisely the reason you state

I think you might be a bit short-sighted in this argument. It may not be offered at Prometric centers, but it might as well be. If you don’t believe me when I say it’s a simple matter of memorizing the test answers (and that cheating is well and alive), then I suggest you do some Google hacking to find out the truth.

How? Web application security is a specialty within information security. or a specialty within applicaiton development. But it certainly is not a generalist certification.

Overall. I understand the need for the OWASP inspired certification and applaud the effort. However, I don’t understand the need to knock other certifications. This is not a zero sum game. You do not need to get rid of one cert to gain another. They can both co-exist

OWASP means what? ISC2 means what? I don’t understand how ISC2 is allowed to have a generalist security certification, but OWASP is not? Why is OWASP not allowed to have one? Because of their name? What’s in a name?

The OPCP will not be just about secure coding. I wish people would understand this — it’s basically the one point that I’m trying to make.

I agree that CISSP and OPCP will co-exist. However, I do think that OPCP (or something else very much like it) will start to replace the letters CISSP — especially when it comes to prestige or possibly things like government requirements. As I said, you’ll see…

proposing your services to customers. You or your compnay is likely to get asked the certification level of your engineers. Like it or not, the customer will ask. It makes business sense to be able to demonstrate you have these certs. It really doesn’t matter what you think about them here, it matters what the potential customer expects

You’re the first person who has brought up this point (and like most of your points — it’s a really good one). There is speculation into how much things really counts for. I’m sure that there have been plenty of bids for contracts where a non-CISSP won over a CISSP. However, it definitely helps and provides confidence for both you and your client. I’m hoping that this will be one of the benefits to the OPCP as well.

Statements:

1) CISSP had outlived its usefulness as a technical measure of capability.

CISSP was never intended as a technical measure of capability. CISSP is a statement about a security professional that he/she understands a set of common prinicples, practices, and a vocabulary. Thus CBK. Think of it this way. If I meet you across a table at a business meeting and your card says “CISSP” on it, then I know that I can use terms such as ‘two-factor’ authentication and you will understand priciples such as separation of duty. A CISSP cert is simply a statement that we both have a common body of knowledge upon which to begin our discussion. A CISSP has never been a statement of technical capability.

2) No innovations or improvements made.

Right on! I totally agree with this comment. ISC2 has done a poor job evolving the CBK. Moreover, ISC2 has done an incredibly poor job publishing the details of the CBK (on the order of the PMBOK).

3) CISSP ability to deliver is MIA.

Deliver what? Perhaps if you beleive that CISSP was supposed to be a mark of how “security smart and capable” someone is.

4) Certifications breed specialists - we need more generalists.

I can’t agree with this. Some certifications can breed specialists; vendors certs is one good example. But the CISSP certification as well as the CISA certification is a general certification within the security and IS auditing professions.

Now while we are at it. The OWASP cert (as proposed) IS a specialist certification. You seem to disagree with this (as in your earlier responses). But clearly web application security is a specialty within the information security profession.

5) I know where to go to get all of the real questions and answers for the CISSP exam, of which I could memorize and regurgitate at a Prometric center.

This is just plain wrong. The CISSP never has and never will be offered at a prometric center for precisely the reason you state.

6) OPCP is a generalist sort of certification.

Err. How? Web application security is a specialty within information security. or a specialty within applicaiton development. But it certainly is not a generalist certification.

Overall. I understand the need for the OWASP inspired certification and applaud the effort. However, I don’t understand the need to knock other certifications. This is not a zero sum game. You do not need to get rid of one cert to gain another. They can both co-exist.

Need for certificaitons. You seem content (or proud) not to have any certifications. I certainly agree that you probably don’t need them in your current position and obtaining one would not make you smarter but consider the following need for certifications:

a) looking for a job in the information security field. Unless you have a reputation and/or a great network you will not be able to get a job without certifications such as CISSP or CISA. A very small fraction of the information security workforce has a reputation (good) and/or a strong network.

b) proposing your services to customers. You or your compnay is likely to get asked the certification level of your engineers. Like it or not, the customer will ask. It makes business sense to be able to demonstrate you have these certs. It really doesn’t matter what you think about them here, it matters what the potential customer expects.

c) the “certification” that I believe is my biggest asset is my business experience knowledge. Personally, I list my MBA right next to my CISSP and CISA.

I would definitely be interested in the post on software security. Most of my misunderstanding is probably because I mainly dabble in things like Python and Ruby to get things done. A little bit of Objective C — but I’m not a day to day programmer.

I have actually built plenty of network appliances based on Linux and BSD. I think the grey area of an “appliance” in enterprise is interesting. The fact that if it doesn’t comes installed with Windows and comes with a “specialized” OS with support from a vendor really makes it an “appliance”. I’ve run into customer issues many times wherein I’ve deployed network monitoring based on Linux, but when it came down to actually validating it as a network appliance the customer would state that they need a real one. Real what? They would state they actually needed to buy an appliance from a vendor for it to be kosher. So — fine, go buy a Cisco 4260 IPS and we’ll just use the chassis. This is something that most vendors (that I’ve run across) have a hard time dealing with or understanding. Maybe it’s because they want to make sure they have support after a given consultant leaves the premises — because they don’t have any expertise in house. Keep in mind that a lot of Fortune 50/100 clients I’ve been at have little to no *NIX experience directly in their security / infrastructure departments. Scary…

To sum it up, I’m not a person who likes recommending overpriced products when a free / better alternative exists out there. It’s hard when you walk into a Cisco centric shop and try to push something else.

The interesting thing is that I previously worked for a large government defense contractor. In which it was much easier to get home grown appliances in to programs — mostly based on embedded Linux. This particular contractor probably saw the value because they would routinely query us for in house training around embedded systems. Two vital sensors for our programs were deployed running open source operating systems. I won’t say that getting the code review done was a pleasant or easy experience, but in the end the customer was very happy.

I think network security is definitely a mix of what you’ve stated — but, obviously, from my perspective network appliances are hard to get rid of. Take the data center for example. One of the problems you’ll run into quickly is port density. There’s no PC chassis out there today that will be able to handle 300+ Gigabit interfaces. If the platform were to exist it probably wouldn’t be as extensible in terms of pure networking performance.

Cisco, as an example, for the most part is leveraging Linux for a lot of it’s products now. So they definitely understand the advantages of using the platform. The problem is Cisco, from what I’ve seen, does a horrid job of integration — they base these appliances off of common distributions. Why would I ever need a full blown distro of Fedora running my NAC appliance? Sure they hacked out a few things, but a lot of the original base still exists… So I could instead run PacketFence to a client, but then when they ask for 24/7/365 support with hardware and configuration where do they go? It’s not that I’m not a proponent of deploying open source — I really am — but it’s just the logistics of spinning it in the right place at the right time.

Where is it going? Well I hope better security of these devices is getting better from the core of the product — the software. The only problem I see with this is companies, again, like Cisco like to acquire junk just to fill product role voids. Then they bring it in house and don’t seem to fix it because it’s a product that works and something they can rebrand and instantly start to make revenue on.

So, today, I think we’re heading down the path filled with a lot of entropy right now. The big players are going to make a lot of mistakes — but the products will improve as the knowledge and understanding internally at companies improve. That, to me, is the obvious first step. It’s just going to take time to displace the old hats that really have no interest in doing things any different. Maybe it’s a Baby Boomer / Gen X / Gen Y deal, or maybe it’s a vendor lock-in comfort level. I’m really surprised at how many people, in the industry, don’t follow open source at all. Even just educating themselves about it through feeds, blogs, whatever…

So to start, I think a better understanding needs to happen. Followed by a push-back towards vendors demanding better products or using custom solutions in retort.

Do you find it hard to help customers understand when you’re discussing application security that it applies directly to the network? If I were to try and discuss ‘application security’ with my current client in reference to some of the ‘network security’ platforms they would probably think I fell off the rocker. :)

I think I’m going to do a post (or write a book) on how integration unit testing, aspect-oriented programming, and dependency injection are the holy grails of software security. Thanks for the allegory!

I don’t think this stuff is bleeding edge, but I guess I could understand how other people could see it as that. I’ve been told it’s bleeding edge before (actually, I’ve been told, “that’s too bleeding edge” during most of my career). I’ve also been told it’s “too academic” a lot.

Many people are not aware that SQL injection came out in 1998. That was ten years ago. Others have no clue that XSS was around in 2001, or seven years ago. Some know that the buffer overflow has been well-documented since 1995, but that we first saw use of it in 1988 with the Morris worm. Bart Miller found various kinds of overflows and other security properties when he invented fuzz testing in 1989. Surely, there were others that did research before these times, but we can trace the history of software security back to these specific points without much argument.

I do, however, think it can get better — and it will

Have you thought about investigating research and time into building your own network appliances? For example, in the book, “Linux Networking Cookbook” from O’Reilly Press, the author, Carla Schroder, goes into detail about booting Pyramid Linux on a variety of embedded hardware devices that utilize CF or Disk-on-Module drives.

She even demonstrates how to use WPA2-Personal with HostAP to provide per-machine keys, which can be better/safer than WPA2-Enterprise in my opinion. I do understand that some architectures (e.g. Cisco IOS, Juniper Networks JunOS) have superior technology in their software (e.g. CEF). Aruba Networks does an outstanding job with WiFi security, but I guess I remain skeptical about vendors and closed-source products unless I know to what level of detail they test their products with modern, full-knowledge vulnerability assessment techniques.

To be honest, I’d be really interested to hear where you think Network security is going. If there are innovations and improvements to be made (and I have my short list of things that I’ve wanted for years), then we’d love to hear them. Or point me towards the research. I referenced a few interesting papers in Bejtlich’s post on NSM vs Encrypted Traffic Revisited.

However, some of these `network security’ innovations are really `application security’ innovations. Some of the defenses look like they are being performed on the network when really they are being done as close to the application as possible. For example, CORE GRASP and Fortify Defender are considered “web application firewalls”, but really they are something completely different.

I also didn’t say that firewalls, IPS, NAC, whatever your box may be can’t be circumvented. Yes, I realize that everything *is* software. However your tone seems to imply that unit testing, aspect-oriented programming, and dependency injection are the holy grail of software security.

My point is that a layered approach, albeit an old concept, is not always bad. Software on a backend system may be vulnerable to X, while a network security device written in Y is not. Let’s just say for a second that Y is, at the time X is vulnerable, a safe platform. Why is it so bad to have a particular defense in the mean time?

I agree with you that most network appliance vendors charge ridiculous fees for their overly unintuitive and hastily maintained product. I do, however, think it can get better — and it will.

I’ll also definitely check out your recommended reading — no, I haven’t read any of the books you mentioned so maybe I can get a better insight of where you’re coming from.

All in all you usually have some great articles — but was surprised at the tone of your retort. I think I could have done a better job of wording my angle… But anyway…

By saying things like the following, it is clear to me that you would love the book GEEKONOMICS (referenced in an above blog comment). You definitely need to do some reading!

leaving network security out of the picture is like saying that the Department of Transportation is now just going to let all roads in the US deteriorate with no maintenance because cars will just be built better to deal with the infrastructure

Leaving network security out of the picture is not a new concept. I think the Jericho Forum has been talking about it for awhile. I haven’t read too much about them, but I suggest you check it out if you’re really concerned about preserving a future for network security.

You can’t tell me that firewalls haven’t been able to help protect you at some point over the years

Uh… Yes, I can. Let me see, in my first experience with commercial firewalls in 1996 (CheckPoint if you must ask), I was really pissed off at finding rootkits installed on my SPARC and x86 Solaris machines, even when I was using S/Key to login and su to root.

Then, when I got owned in 1997, I was even more pissed off to find out it was because of one user who wasn’t setup to use S/Key via SSHv2 (the other admin allowed her to do this because he thought she was cute). The guy who had a trojaned SSH on the machine that this girl logged in from had no problems finding a privilege escalation vulnerability and exploiting the trust relationships on our LAN to break into the firewall. The jokesters that followed him in also had no problem writing zeroes to our drives, so that data recovery was doubly problematic.

Finally, when I worked for very large companies, I was fascinated to find out that they did not even use firewalls, but that they were safer and happier without them. If you read my bio from somewhere, you can draw some more conclusions.

So, yes, firewalls seriously suck. In 2008, they don’t apply at all. All of the attacks come in from client-side exploits. All of these go right through firewalls.

you’ve been using the Internet

You are correct. I have been using the Internet. The Internet is made up of software, did you know that? The Internet exists because of software, were you aware of this fact?

that an IPS hasn’t dropped automated scans that may expose an unpatched vulnerability

Ok, I admit that network-based IPS has caused problems for penetration-testers who are hired to scan companies or other organizations for vulnerabilities. Can I get through them? Hell yes. Do hackers and organized crime get past both network-based and/or host-based IPS everyday for the past 20 years? Of course they have.

When it comes down to it discounting network security to nothing […] thinking you have enough control over the rest of the components warrant it unneeded

Yes, I don’t think that network security requires a lot (or much, if any) of time or effort. I don’t think we should spend time turning it off. However, budgets should be re-balanced. Sometimes this means moving a network-based IPS/IDS into a lab, or allowing costly firewalls, switches, routers, and IP telephony equipment to depreciate until they can be safely removed from the network (with early replacement or retirement happening as soon as possible).

you’re not taking into account is $$$. It’s cheaper for the majority of big business to buy a box that will do 80% of the work than it is to employ one excellent programmer who has a real understanding of network and security programming that can also implement the business logic

No, I’m definitely taking the money into account. I think the problems with security products — ESPECIALLY network security products, or “security appliances” is that the only people taking the money into account are the vendors selling this bloatware — this snake-oil. I also suggest that you read “The New School of Information Security” based on these comments. Let’s look at breach data to determine where the problems are coming from and where and how to apply spending. Sure, every company is different — but I’d almost universally take half of the network security budget and dump it on application and data security from any given company around the globe.

The majority of programmers are not, and will never be, in the niche security market. They don’t have an interest, therefore they won’t write clean code

That’s why things like integration unit testing, aspect-oriented programming, and dependency injection will replace the need for information security and network security experts (and especially non-experts!) alike. Of course, projects like OWASP ESAPI are already helping programmers forget about security problems and increase their bonuses due to “helping out with application security and software risk issues”. Ask any developer for any company on Wall Street.

there will always be a need for network security products to help fill the void

I think that’s all network security products do well is fill voids.

would you drive over a bridge with no railings that was just wide enough for your car? Those railings might not stop a semi, but they’ll probably be strong enough to stop your car

The broken window problem applies to the software, not to the network. Of course, the network is made of software!