From: Thomas Ptacek (tqbfmatasano.com)
Date: Mon Sep 10 2007 - 12:25:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

How do you plan on solving the problems the CISSP has?

1. People will "teach to the test".

2. Certs get stale fast.

3. Cert businesses are high-overhead, but the IP for a cert is hard to
protect (if your cert is going to be fair and meaningful).

On 9/10/07, Dave Aitel <daveimmunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> One thing we've been working on here at Immunity are Network Offense
> Professional certifications. Essentially it would be practical tests
> that established someone was capable of doing certain actions we
> should all be able to do.
>
> For example, the first certification was a simple stack overflow
> against Windows 2000. Testee's would exploit it using Immunity
> Debugger/WinDBG and VisualSploit, which would keep it as technology
> agnostic as possible. You can either write a simple Win32 overflow or
> you can't.
>
> We were going to launch it during DefCon, but had a few other things
> going on. :>
>
> - -dave
>
>
> J.M. Seitz wrote:
> > Hey Mike,
> >
> >> The CISSP is the undisputed king of information security
> >> certifications. Currently, every now and then a security company
> >> starts pushing their employees towards certification programs.
> >> These are usually known for featuring insanely long exams,
> >> absurdly pedantic requirements and other kinds of doubtfully
> >> respectable necessities.
> >
> > I wouldn't say it's the king, I would say it has some very broad
> > objectives, but is moreso a Security+ on steroids. When the CISSP
> > got traction, you have to look at the timing of the certification,
> > and the fact that the only other certification that would get you a
> > high paying job was a CCIE, and the CCIE is a nasty cert to get to
> > say the least. SANS has put out some incredibly strong programs
> > that can range from technical (GCIH/GCFA/GREM) to CISSP-like
> > certifications.
> >
> >
> >> We all know that there are several other certifications, but
> >> CISSP brings, without doubt, the very best. Be it a security
> >> operations manager, a field operative or some other kind of
> >> consulting freak, a CISSP will always deliver.
> >
> > I still disagree, and to be honest, I have interviewed more CISSP's
> > that couldn't answer questions like "What does PKI stand for?",
> > "Give me an analogy of a buffer overflow.","What is transparent
> > proxying and why is it important in some circumstances?". Come on,
> > certs are as good as the people who take them, I again disagree.
> >
> >
> >> My question for people out there, is this madness _that_
> >> necessary? Do we have a good reason for spending loads of budget
> >> on certification programs and wasting our companies' money in
> >> such investments?
> >
> > Yep, again it's a baseline, one for HR. The people to watch out for
> > are the ones who go the extra mile, some who has a GCIH most
> > definitely doesn't make me giggle with glee, but someone who has a
> > GCIH Gold I look forward to meeting with, and definitely love to
> > engage on their research topic. It's worth a company's time and
> > money to do it (a) employees are more loyal to companies that give
> > (b) you'd be amazed at how often you will apply things straight
> > from a certification.
> >
> >> Employees feel constrained since they might lose the
> >> certification after quitting their jobs, surfing towards another
> >> employer as intrusive and wasteful as the previous one, etc.
> >
> > Not sure how you would lose a certification if you left your job?
> > Once you write the exam, it's yours not your company's.
> >
> >> If certifications exist for ethical hackers, are we going to see
> >> certifications for unethical hackers anytime soon? What if the
> >> mob and shady underground organizations needed to certify that
> >> they are employing the very best of the federal prison's Module
> >> 5? Will a Certified Unethical Software Security Expert (CUSSE)
> >> certification ever exist? "My name is Lincoln Six Echo, Certified
> >> Information Insecurity Systems Professional".
> >
> > http://blog.wired.com/27bstroke6/2007/08/a-look-inside-a.html
> >
> > There ya go :) I bet one or two unscrupulous people are
> > "black-belts" :)
> >
> > In the end, certifications are good, but the reality is that they
> > are only good if you are looking for work, and you get what you put
> > into them. You want to get noticed in the security world? Build a
> > tool, join and help people on forums, help Sourcefire write
> > signatures (they need it), contact George Theall at Tenable and ask
> > if you can help write NASL plugins, help the OSVDB with mangling.
> > These are all things that will help round out a newcomer, and add
> > it to the list of things that can benefit you when its time to go
> > job hunting. Now, if you _really_ want to get noticed, tackle the
> > tough problems, write books, and try to talk at Black Hat, etc.
> >
> > Coming from an unknown security guy, low profile, I am still in the
> > phase of doing all of these things. As such I have a Sec+ and a
> > GCIH (which I am wrapping up my research paper on), and I can
> > honestly say I do use some of it in my day-to-day. You don't see
> > these acronyms on my email signature but that's because I am not
> > looking for work :)
> >
> > JS
> >
> >
> >
> > _______________________________________________ Dailydave mailing
> > list Dailydavelists.immunitysec.com
> > http://lists.immunitysec.com/mailman/listinfo/dailydave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFG5Uq/B8JNm+PA+iURAl+CAKDAkJkhJvSNf+lIAtF55A6IotizfgCgtZiP
> od5Gzue0h/Q6P4MTq5E7/pM=
> =VXSu
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydavelists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

--
---
Thomas H. Ptacek // matasano security
read us on the web: http://www.matasano.com/log
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
http://lists.immunitysec.com/mailman/listinfo/dailydave

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]