[Owasp-cert] Deadlines for August

J. Oquendo sil at infiltrated.net
Wed Jul 30 16:24:55 EDT 2008

(comments inlined)

On Tue, 29 Jul 2008, Gary Palmer wrote:

> #1) For the CISSP I had to complete a paper form that was provided as part
> of the test.  I had to complete that form within the time allotted and turn
> it into the reviewer.  It was reviewed independently and outside the test
> room and I was not informed of the results.  For the SANS online testing, it
> was structured to present one question at a time with the answer options.

Brief true story - although it must be taken with a grain of salt since I
cannot mention names. When it comes to "hacker scene" security, I guess some
can say I go a way back, pre 2k, early to mid 90's I guess one can associate
some form of seeing me around in some capacity or another. BBS', etc., I come
from the school of "better make sure I take care of this before someone takes
control of my servers." Anyhow, I know a lot of people who were "on the scene"
and I recall the one story I was given while sitting in an airport.

So this friend - I trust him dearly and I look at all with the highest skepticism.
Anyhow, this friend was working at one of the top auditing firms, he landed there
because the security industry at the time (circa 1997-2000) was really non
existent. You had NFR, Baltimore, a couple of other players, but it was
mainly a "hardware" state of mind. @Stake was probably the first "visual"
group to come out of the hacker closet I guess. Anyhow, so this friend because
of media's take on "hackers" and because the security industry then was a lot
smaller, he fumbled his way into a lucrative position. He was in charge of
creating "the ultimate security team" and he did. A group of IRC friends (not
kidding) he chose and was given the approval to bring them on.

The auditing company in order to keep I guess a "shirt and tie" appearance
needed their guys certified, they needed people with qualifications, not
some IRC guy with technical skills. So what was the solution... According
to the person I know, they hired people to memorize the test and recreate
portions of it so their guys can pass. Again, to be taken with a grain of
salt... I won't mention the certification because its irrelevant, what IS
relevant though, is, content for the exam shouldn't be something that would
be trivial and or incomplete.

What good would any exam be if someone could skate through guessing, if
deductive reasoning of (removing the obviously insane answers) it can be
done. Just my thought, and I sit around painstakingly trying to think of
a mechanism to be fair and sort out the pros and joes. SANS approach of
writing was once upon a time a nice idea, but I can't tell you how much
I no longer read those pages. In the past few years it seems as if there
will be perhaps a new cert factory. I can't tell you how many papers in
the last month I read out of boredom and have seeing gaping holes in
terms of missed*conceptions.

I wish I were an expert enough and I can't possibly see anyone who could
be a de-facto expert all inclusively, its a learning process, hence what
good would a proctored exam do outside of making sure Joe isn't peeking
over John's shoulder. Also what good would it do to have a thesis like
paper as extra credit when somewhere someone along the line would have to
read it, rate it. What happens when say the following occurs... "I as being
almost wholeheartedly Unix-headed am given a thesis on say "Faults on
.Net System.Security.Permissions.ReflectionPermission" one, I cannot be
fair about it, so it boils down to sorting out who is actually going to
read these papers, 2) what incentive is there really. While I do come
across a lot of well written papers on security, I also find that many
lack real world punch, tend to be filled with fluff and or are based on
outdated information.

"Formulas for Creating A Secure Application over AmigaOS" - what will
you say? "Sorry candidate, we unfortunately cannot rate your paper..

> #3) I agree with open and public processes.  SANS posts the papers for all
> to see and that has become an excellent resources for many professionals.  I
> think there are some who do not want to publish junk because everyone else
> can see it-- hit them in their pride!  And maybe that is how to distinguish
> the highest level of certification, publish a paper on the OWASP site which
> advances or simplifies some area of content.  Have strict guidelines for
> form and content and reference.  As long as "someone votes" it is
> subjective.  If there is a nay vote, then maybe a need exists to justify why
> it was rejected so others could argue or agree.
> I hate the secret approach, the most objective way to do that is by
> questions with explicit answers, no essays.  multiple choice, matching,
> timeline event sequencing, true/false, etc.

I'm torn here, open or closed. I'm all for transparency, but I'm also more
for accountability nowadays. What good is transparency when 1) no one is
even looking, 2) those that are looking, often (note the word often not
always) have no idea of what they're looking at. Even in a closed environment
transparency can be achieved, e.g. Survivor style voting - random selections,
multiple selections. 

Closed is sometimes a better option. Just an opinion, I can see why say
Dan Kaminsky chose to stay semi silent - outside of politics when it came
to his DNS information, and I can side with those stating "you should have
been up front"... Tough choice and honestly there is no right or wrong
choice here, if you leave it open, the greater the possibility of exposure
of content, if you keep it "close knit" closed, then it defeats the core
concept of the word Open in OWASP from my eyes.

As for certs, I just like studying and learning to be honest, if I were
a millionaire, I would still study for the rest of my life, and it would
still have to do with information security, TSCM security, or some form
of security, I find the profession/practice of any realm as intriguing,
challenging, now if it could only give me back some hours sleep I missed
over the past few years, I'd like it even more.

J. Oquendo
SGFA #579 (FW+VPN v4.1) SGFE #574 (FW+VPN v4.1)

"Experience hath shewn, that even under the best
forms (of government) those entrusted with power
have, in time, and by slow operations, perverted
it into tyranny." Thomas Jefferson

wget -qO - www.infiltrated.net/sig|perl


More information about the Owasp-cert mailing list