WebApp Sec: Re: Re: Notes from CISSP class with Dr. Eric Cole

[f_kenisky () earthlink net]

You're observations are right on target. No one argues the accuracy of you're personal experiences. And no one person 
can know it all. And personally the six hour pen test thing is pretty cool but I think I got you beat.

During a vulnerability analysis (before I was certified) I was auditing a hospital.  The CIO there (who also wasn't 
certified or had any real technical experience but was very political) watched as I demonistrated how I could steal all 
the passwords in his hospital and the region with two (2) mouse clicks.

Yes jaws dropped and guess what, I was indited by a Federal Grand Jury for what, doing my job?  By people who had about 
as much experience in a field as a war smurf.

Yes there are those who become certified because they can pass tests better than others.  This will always be the case. 
 Before I sat for my CPA exam I knew CPA's who had about as much common sense as a turkey drowning in the rain.  As 
long as those people exist they will also eliminate themselves.

Hey, I work around sys admins with years of "technical" experience who insist that telnet and ftp are not vulnerable 
because their systems are behind a firewall.  We have 'experienced' ids vendors who slam our boxes with the latest and 
greatest ISS signatures with default configs for all the latest and greatest exploits from MS to Solaris.

Talk about false positives!

So good for you, get certified and add to the ranks of what this certification should be help make the test more 
difficult by contributing to the exam preparation.  Don't be the sour puss because you can't pass. Don't glory in 
stumbling across the few who can pass but don't have your technical knowledge.