[ale] Security Licensing (wuz: a quick test of web site stupid)

Charles Shapiro hooterpincher at gmail.com
Sat Mar 9 11:42:16 EST 2013


No group of professionals meets except to conspire against the public at
large ( Mark Twain)


On Fri, Mar 8, 2013 at 12:14 PM, Jim Kinney <jim.kinney at gmail.com> wrote:

> All very valid points.
>
> On Fri, Mar 8, 2013 at 11:50 AM, Leam Hall <leamhall at gmail.com> wrote:
>
>> On 03/08/2013 11:24 AM, Jim Kinney wrote:
>>
>>> Exactly. What this does do is require that public facing code that has
>>> the potential to cause harm is reviewed and approved by someone that
>>> society, working through bright people in the field, trusts will stamp
>>> that code as "best available methods at this time". There will still be
>>> loads of jobs for non-certified coders.
>>>
>>> We already have the Business A -> Business B process. It doesn't work
>>> very well.
>>>
>>
>> Business B has a lousy marketing department then. There is a significant
>> need for security and to have CISSP, GIAC, or even Security+ people on
>> teams, IF YOU LISTEN TO THEM, helps loads. You can tout the reduced code
>> vulnerabilities from meeting X standard and note that you actively recruit
>> security talent is leverage.
>>
>
> That's where a legal requirement will help this process. There are plenty
> of people who are bright and good enough to do this but the PHB doesn't
> listen because of PHB reasons.
>
>>
>> Damon's point about requiring certification raises a different issue.
>> Keep in mind that much of what we know is reinforced by daily usage and
>> decreases over time. If you get an RHCE it means you passed a rigorous
>> test. If you passed that test a decade ago, like me, you need to show that
>> you have kept current. And I don't mean paying for another certification,
>> but actively doing stuff in the field.
>>
>
> Just like other fields, that license is only valid with ongoing training
> credits. My vet has to go back to school every year to keep her practice
> certs valid. Her staff does not have to have practice certs. A RHCE on
> RHEL4 is nearly useless on RHEL6 (changed EVERYTHING on user security! and
> that doesn't account for selinux :-D )
>
>>
>> And doing new stuff, too. A lot has changed in the last decade and there
>> are lots of critical bits now that didn't exist then. That's what I love
>> about Linux; you can know everything today and tomorrow will bring
>> something new.
>>
>> The questions start to boil down to "What are the best practices that (a)
>> actually work and (b) can be implemented with reasonable budgets?" and "How
>> do we evaluate the ability to implement and inspect for them?"
>>
>> Would that be a reasonably fair set of questions?
>>
>
> This is good. Maybe is could be organized by criticality level based on
> breach outcome. Some things are already covered by various levels of
> computer security (some is bone-headed) from DoD. So different levels of
> engineering proficiency with different needs.
>
>>
>> Leam
>>
>> ______________________________**_________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>>
>
>
>
> --
> --
> James P. Kinney III
> *
> *Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his own
> tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> *
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
> *
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130309/23587256/attachment.html>


More information about the Ale mailing list