Re: Information security certifications diversity andgetting lost

[Paul Wouters <paul () xelerance com>]

On Tue, 11 Sep 2007, nnp wrote:

> Sounds like yet another way for a vendor to make money of stupid
> people to be honest. I mean come on, a certificate saying you can
> write a stupid Windows 2000 overflow? Who cares? I mean really, who
> actually cares that you can do something that any donkey with an hour
> or so free time, a basic understanding of software architecture and a
> quick guide from one of several sites can do?

I agree, and I have that problem with the security community in general.

Exploits == Media == Attention == Money

Blackhat for instance, has drifted more and more to "give us a cool
exploit" instead of focussing on the larger picture. So do most other
"different from the other conferences" security conferences.

And on the other end, we are seeing overly complex super-management
3D representations of technical/policy/legal requirements, and virtual
pentesting software that misses the point completely about security.

For all its criticism, PCI-DSS is decent. It is a standard to try
and develop your security policies. It does not go overboard with
management-heavy stuff, and it does more then just asking someone
to run nmap/nessus/metasploit/autopwn. If security managers complied
with the PCI-DSS for all their servers, things would look much better.

CISSP is an okay general background, though it contains too much dated
cruft, is not up to date with the latest technologies, and is too US-centric.
And the exam is more an exercise in double negatives and mapping the OSI
model on TCP/IP and remembering obscure names for modern ciphers, then
a test of someone's security skills.

But as long as companies pay PWC and co $40k for a nessus scan, even
the rudimentary security of CISSP is not going to be applied on a
larger scale.

Paul
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave