SANS is also taking a swipe at certifying developers. I am skeptical of these approaches. I wrote about this back in a darkreading column you can find here, entitled “Certifiable”:

http://www.darkreading.com/document.asp?doc_id=123606

When I get some time I will take a look at the CSSLP more closely.

gem

Addressing your response at #2…

Since ISC2 has just announced their new certification, Certified Secure Software Lifecycle Professional (CSSLP), and have been seeking out collaboration informally with OWASP, I think this is a particularly relevant topic. As my #1 software security guy, I want to hear from you what you think about it.

Sounds like an article to me

Cheers,
Stephen

Stephen

gem

Thanks for the kind words all.

As for the SC-L comment, I’m more than surprised you would feel that way. Most often, I’m accused of not being heavy-handed enough on the list, and giving people far too much leeway in straying from topic.

It’s true, I have stopped a couple of threads that strayed (IMHO) too far, but in every case, I did so by saying something like “let’s please let this thread die.” Even that was in no way an edict, and I always try to give people plenty of freedom to say what they please — so long as it stays within the published charter. (The primary rule there is civility; I will mercilessly crush flame wars and gladly be reprimanded for that.)

So, I’d certainly invite you and anyone else who may feel as you do to “come back” and feel free to post. If you feel you’ve been wronged, then bring it to my attention. I am always open minded and willing to hear your case. On that you have my personal guarantee.

Cheers,

Ken van Wyk

Thanks. It’s always enjoyable to chat with people as knowledgeable as Ken. I told him about your posting, so hopefully he can address the sc-l thing here.

There is a brief mention of the overfocus on Web apps in mh informIT article below. Perhaps I should write about that as a complete topic!

http://www.informit.com/articles/article.aspx?p=1237978

You can also find some discussion about that in “Software Security” http://www.swsec.com on pages 20-23.

For the record, we must focus some attention on securing Web apps…just not ALL of our attention.

gem

Another home run; great questions and answers, plus a dose of software security history is always a bonus. Great insight from him about monitoring at the application level.

A couple of comments:
- Ken said his SC-L list was stagnant. I subscribed to it not long ago and found he was too heavy-handed as a moderator (certainly he is not unique!!!), jumping in too quickly to declare a thread off-topic. So I stopped posting and reverted to lurking.

- Is there an article where you have expounded on your misgivings about focusing too much on Web application security? On one recent podcast you touched on it (after you went to Europe and spoke at an OWASP Conference) and you asked Mr. van Wyk a question about it (at 17m44s), so I know it’s bugging you a bit As he stated, and from my previous work on both thick client & web apps, session management is the main area absent from the former… I am genuinely interested in learning what your opinion and thoughts are on this.

Stephen