[Owasp-phoenix] Meeting Tonight?

Skyler.Bingham at londen-insurance.com Skyler.Bingham at londen-insurance.com
Thu May 7 19:33:57 EDT 2009

> I have not taken the GIAC exams, but I have seen the SANS training
> that goes along with them. Would it be presumptuous to think that the
> exam content is based on the training?
> BTW, I'm speaking for Java, C, and .NET (all three).

I can't speak for the .NET GSSP exam, but the Java and C exams were
definitely developed (or were being developed) before the courses were
written (I was involved in the early stages of development of the Java and
C exams).  So, unlike most (all?) other SANS certifications, these exams
were developed before the courses.  I was told that I would not be able to
teach the class because I had worked on the exam, but at the time, no
course existed.  This was around the time that SANS was beginning to get
their certifications ANSI accredited, and this was one of ANSI's
requirements (presumably, to prevent instructors from teaching to the
exam).  That being said, I have not taken the courses or the exams, so I
cannot comment on the final quality of either.

Also, I don't think it is necessary (or possible) to include every emerging
technology in these courses/exams.  As we all know, the field of software
development is changing constantly, but the secure coding fundamentals, for
the most part, remain the same.  Sure, there are special security
considerations for different languages and technologies, but if you focus
on secure coding fundamentals, then developers _should_ be able to apply
those skills to any new technology and find secure ways of implementing
them.  I don't think the problem with software today is that developers
don't know how to use new technology A or new framework B securely, but
that they don't know how to code securely in the first place.  If they are
taught how to code securely, they should be able to code securely using any
new technology/framework/development paradigm as well.

Skyler Bingham

More information about the Owasp-phoenix mailing list