[ale] Security Licensing (wuz: a quick test of web site stupid)
Jim Kinney
jim.kinney at gmail.com
Fri Mar 8 12:14:21 EST 2013
All very valid points.
On Fri, Mar 8, 2013 at 11:50 AM, Leam Hall <leamhall at gmail.com> wrote:
> On 03/08/2013 11:24 AM, Jim Kinney wrote:
>
>> Exactly. What this does do is require that public facing code that has
>> the potential to cause harm is reviewed and approved by someone that
>> society, working through bright people in the field, trusts will stamp
>> that code as "best available methods at this time". There will still be
>> loads of jobs for non-certified coders.
>>
>> We already have the Business A -> Business B process. It doesn't work
>> very well.
>>
>
> Business B has a lousy marketing department then. There is a significant
> need for security and to have CISSP, GIAC, or even Security+ people on
> teams, IF YOU LISTEN TO THEM, helps loads. You can tout the reduced code
> vulnerabilities from meeting X standard and note that you actively recruit
> security talent is leverage.
>
That's where a legal requirement will help this process. There are plenty
of people who are bright and good enough to do this but the PHB doesn't
listen because of PHB reasons.
>
> Damon's point about requiring certification raises a different issue. Keep
> in mind that much of what we know is reinforced by daily usage and
> decreases over time. If you get an RHCE it means you passed a rigorous
> test. If you passed that test a decade ago, like me, you need to show that
> you have kept current. And I don't mean paying for another certification,
> but actively doing stuff in the field.
>
Just like other fields, that license is only valid with ongoing training
credits. My vet has to go back to school every year to keep her practice
certs valid. Her staff does not have to have practice certs. A RHCE on
RHEL4 is nearly useless on RHEL6 (changed EVERYTHING on user security! and
that doesn't account for selinux :-D )
>
> And doing new stuff, too. A lot has changed in the last decade and there
> are lots of critical bits now that didn't exist then. That's what I love
> about Linux; you can know everything today and tomorrow will bring
> something new.
>
> The questions start to boil down to "What are the best practices that (a)
> actually work and (b) can be implemented with reasonable budgets?" and "How
> do we evaluate the ability to implement and inspect for them?"
>
> Would that be a reasonably fair set of questions?
>
This is good. Maybe is could be organized by criticality level based on
breach outcome. Some things are already covered by various levels of
computer security (some is bone-headed) from DoD. So different levels of
engineering proficiency with different needs.
>
> Leam
>
> ______________________________**_________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>
--
--
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130308/db9e8f50/attachment.html>
More information about the Ale
mailing list