Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Notes from CISSP class with Dr. Eric Cole

RE: Notes from CISSP class with Dr. Eric Cole

From: Mark Roxberry <mroxberr_at_msn.com>
Date: Wed, 12 Oct 2005 14:29:46 -0400

"That customer now checks the background
> > > and even tests CISSP before they are allowed to do any work."

"allowed to do any work" CISSP is not for techs, plain and simple. There
are those that use it to boost their image as a tech, but it's not tech.
It's like asking an MBA to be a retail clerk.

Personally, as a CISSP, I consult clients on Risk Analysis, Disaster
Recovery Planning and Business Continuity, and Legal / Investigative
(Forensic Analysis). I farm out tech work to many different companies
(IDS/IPS providers, Physical security providers). Like finding a
specialist. Does that make me unqualified as a pen-tester with 5 letters
after my name? Sure. So what? You can get an MD in Guatemala or order
your JD online. Just a bunch of letters. One thing that my experience as a
CISSP has taught me, of all fields, DUE DILIGENCE is mandatory. The
anecdotes provided only show that companies hiring people are not performing
due diligence. They're even more guilty than the fraud they hired.

Mark Roxberry, CISSP

> -----Original Message-----
> From: kgp_at_nethere.com [mailto:kgp_at_nethere.com]
> Sent: Wednesday, October 12, 2005 12:24 PM
> To: Saqib Ali
> Cc: intel96; PPowenski_at_oag.com; dreamwvr_at_dreamwvr.com;
> webappsec_at_securityfocus.com
> Subject: Re: Notes from CISSP class with Dr. Eric Cole
>
> I'm glad this was stated.
>
> I was going to say something similar but Saqib said it more eloquently.
> I will reinforce the statement.
> An SSCP should be able to perform some technical skills (this hasn't
> caught
> on however). A CISSP is a managerial qualification. Lee Iacocca better
> know
> damn well how to manage car manufacturing, risks, architecture, and
> appropriate laws. But it would be a mistake to think he could go operate
> the machinery. I'd even go so far as to say he may know a great deal about
> the machinery (mean time to failure, load capacities, etc) but he wouldn't
> know what knobs to turn or buttons to push.
>
> Nothing in the CISSP focuses on anything very technical. Why would we
> expect
> a CISSP to do things we didn't test them on?
>
> Kevin
>
> Quoting Saqib Ali <docbook.xml_at_gmail.com>:
>
> > > The second case involved a pentest where a CISSP had conducted a
> > project
> > > for a web portal. The CISSP told the customer the portal was secure,
> > > but the customer had concerns about the quality of the work perform.
> > > Again I was called in to check the other CISSP's work and I was able
> to
> > > gain root access in 6 hours. That customer now checks the background
> > > and even tests CISSP before they are allowed to do any work.
> >
> > It is not the job of a CISSP to tell if a application is secure (hack
> > proof) or not. It is like asking a District Attorney to perform Police
> > Detective work. It doesn't work like that. You need a different
> > skillset to perform detective work.
> > --
> > In Peace,
> > Saqib Ali
> > http://www.xml-dev.com/blog/
> > Consensus is good, but informed dictatorship is better.
> >
> >
>
>
Received on Oct 12 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]