SC-L] What defines an InfoSec Professional?

[jgrembi at gmail.com (Jason Grembi)]

I'm not a CISSP person just because my clients haven't required it
yet.  However,
they are concerned with application security and restricting access to those
who are not authorized (in addition to XSS, SQL injection, and the usual
list of suspects).  I call myself a 'secure developer' only because I *think
* I know how to code countermeasures and I am aware of the types of attacks
an application can go through.



I see the field of programming naturally adopting security techniques in
their code the same way quality techniques crept into our lives.   Remember
when a person could code a few web screens and call himself a web developer
without ever one considering heap management, efficient SQL, and frameworks
that helped managed concurrent users.  I see security and all its coding
techniques following in the same path.  Eventually, it will not only be
required but assumed by the clients.  Those who can't adapt won't be hired.




I have actually stated working security related questions into our interview
process.  If I hire a web developer and he/she has never heard of social
engineering, I move on to the next candidate.



Just my thoughts.



Jason Grembi

Lead Web Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070311/32efe554/attachment.html