[ale] Security Licensing (wuz: a quick test of web site stupid)

[Leam Hall]

On 03/08/2013 11:24 AM, Jim Kinney wrote:
> Exactly. What this does do is require that public facing code that has
> the potential to cause harm is reviewed and approved by someone that
> society, working through bright people in the field, trusts will stamp
> that code as "best available methods at this time". There will still be
> loads of jobs for non-certified coders.
>
> We already have the Business A -> Business B process. It doesn't work
> very well.

Business B has a lousy marketing department then. There is a significant 
need for security and to have CISSP, GIAC, or even Security+ people on 
teams, IF YOU LISTEN TO THEM, helps loads. You can tout the reduced code 
vulnerabilities from meeting X standard and note that you actively 
recruit security talent is leverage.

Damon's point about requiring certification raises a different issue. 
Keep in mind that much of what we know is reinforced by daily usage and 
decreases over time. If you get an RHCE it means you passed a rigorous 
test. If you passed that test a decade ago, like me, you need to show 
that you have kept current. And I don't mean paying for another 
certification, but actively doing stuff in the field.

And doing new stuff, too. A lot has changed in the last decade and there 
are lots of critical bits now that didn't exist then. That's what I love 
about Linux; you can know everything today and tomorrow will bring 
something new.

The questions start to boil down to "What are the best practices that 
(a) actually work and (b) can be implemented with reasonable budgets?" 
and "How do we evaluate the ability to implement and inspect for them?"

Would that be a reasonably fair set of questions?

Leam