One of my assignment question is:

One argument in the security community is that lack of diversity is itself vulnerability. For example, the two dominant browsers, Mozilla Firefox and Microsoft Internet Explorer, are used by approximately 95 percent of Internet users. What security risk does this control of the market introduce? Suppose there were three (each with a significant share of the market). What three negate that security risk?

I think this is a very interesting question and would like to see your responses?

Shoaib

(ISC)2 pitches the CISSP as a certification of “professionals,” hoping to measure up to other “professional” licenses like the CPA, CFP, etc. I obtained my CISSP very early in my career as a way to show my commitment to the field and continued self-development. I knew that having a “hands-on” conversation about Solaris security would get me more respect when talking with Unix admin than those five letters, but I also knew the cert was important to the pointy-heads. (I wanted to be able to work with both types, as well as everyone in between.)

As a hiring manager, a CISSP shows me someone is committed enough to put the time/effort/money to get it — that’s it. It’s a measure of professionalism. S/he can still be a clown, but that’s why I ask questions during an interview. Sure — some recruiters and people managers may spin it as a tech cert — but that doesn’t make it so.

I had my ISSEP and ISSAP for awhile, until I decided it wasn’t helping my resume and my employer wasn’t reimbursing the fees. I recently got my CEH — only because it was a “standard” set by my employer. Sure, the CEH has huge problems, but it was an easy cert to get and didn’t cost me anything. And now that I have it, I can use my experiences with the exam and EC-Council to point out the shortcomings, instead of just whining about “how much it sucks and why I don’t wanna take it.”

Certs don’t make you smarter. For employees, certs are another way to game the screening and interview process and one way to show continued development. For people managers, they are one way to set goals to measure commitment — especially for more junior people.

I wish James et al. all the luck in the world with OPCP, and I’m sure we’ll see a number of new infosec certs over the next several years. But having smart people and reputable organizations stand behind the cert isn’t going to motivate me to get it. I’ll get a cert if it will 1) help me get the job I want or 2) keep the job I love.

Also, in my view, most security issues are trivial to figure out fixes for (applying fixes consistently seems to be our biggest problem), and as such the people developing the attacks/exploits do not see a need to cover them.

Also, fixing shit is boring, seriously. Fixing the problem doesn’t get me all that juicy, juicy data.

@ Rafal: I guess you can say I unfairly lumped clickjacking in with the rest. It’s unfortunate the media made a circus of all these vulnerabilities, as they do present interesting areas for defensive research. I was talking with RSnake a bit about this, (you may have been there), and as you know, the security industry loves shock and awe, and would rather attend the talks that show off new attacks rather than the one that shows how to fix the problems.

And I totally agree with you on offensive research. I absolutely loved Jeff Williams’ quote during the keynote, about finding such obscure vulnerabilities, we’d “make Rube Goldberg proud.”

Although I will once again say that the ISC^2 marketing folks really borked it. Everyone was starved, it had been a long day and instead of feeding us they gave us open bar. Then they tried to feed us information… were they serious? Not only was that the WORST slogan ever (Aitel actually wore the hat, hahaha), but I don’t think *anyone* was sober or paying attention to them at the end doing whatever announcement they made.

Oh well… fun times were had by all.

Crying wolf will eventually de-sensitize the populous (as I’ve written about in a recent paper, and repeatedly on my blog) and at some point (perhaps soon) it will become just background noise in the nasty online world everyone lives in.

Aside from that little rant, there is a much bigger problem with a lot of “offensive” research and disclosure being done and very little actual “defensive” information being provided to the people who need it most. I can’t tell you the last time I heard a solid solution to (insert issue du-jour here) that didn’t come from a vendor hocking their wares. We need real, solid, and deeply researched solutions to some of the most urgent issues like web application security.

Hearing a million ways of breaking every popular technology will drive our general population into either willful ignorance (due to overload) or retreat to pen/paper from sheer terror. What we need are solutions to these plagues that individuals and companies can apply to mitigate the risks and dangers.

The answer is a blank look and a shrug of the shoulders because we neither know the details nor what is or can be done about it.

I really dislike this sort of “circus disclosure” crap.

Then again, maybe this is because it has already taken years to get anyone who can fix things to listen. But still, just out with the details. No more of this “the sky is falling, oh but only in some places and I’m not going to tell you where or even let you look up” nonsense.

In that case, we have a problem with vendors/business listening (big surprise there) and the rest of us sharing information enough to get more bodies behind Robert and Jack and get positive attention.