[Owasp-twincities] Discussion: Re: October meeting suggestion:CISSP items?

Ray Kaplan ray at rayk.com
Tue Oct 3 22:46:00 EDT 2006

Hi all

Bob suggested I repost my comments to the list. Accordingly, I figure 
that it is not a protocol breach to just post his reply over my 


Date: Tue, 03 Oct 2006 10:49:32 -0500
From: Robert Sullivan <msp.sullivan at gmail.com>
Subject: Re: [Owasp-twincities] October meeting suggestion:CISSP items?
To: Ray Kaplan <ray at RayK.COM>

Not babbling at all, I appreciate your investment of time.

I was hoping to use the list for discussion, with your points it's 
likely to draw in interested folks who are lurking.

If you re-post there I will re-reply like this:
- I can bring question writing guidelines (printed just now and posted)
- I have sent a tickler email to ISC(2) to see if there are any areas 
they want us to focus
- We may need to take a stand like...(feeling bold?)
- The OWASP materials are a de-facto standard, reliable and free.
- "For anyone to call themself a CISSP they should be able to recall 
and explain the OWASP top ten"
- If we don't want to focus on vulnerabilities (above) we could focus 
on attacks, technologies or process.

- For references we have the OWASP guide
- I've recently flipped through "Sun Core Security Patterns", "19 
Deadly Sins" and "Secure Code" that all cover these web security 
topics. I can bring those to use as references.

On 10/2/06, Ray Kaplan <<mailto:ray at rayk.com>ray at rayk.com> wrote:

Hi Bob

Am new to the group, so do not know if the list is for discussion, so
just responded to you.

I used to teach the CISSP prep class and have been hanging around
that community for a long time, though less in recent years...

I agree with that person, and your suggestion is excellent. I am sure
that the ISC(2) would welcome what we could do, and we get CPEs for
doing it.

I thought it useful to comment:

- Unless the person is commenting on questions that he saw on the
test, it may be that they are talking about the questions that you
see in these prep guides and sample tests. These things are not
necessarily the best guides.

- New questions have to be tested before they get put into the
question DB. 25 questions on each test are test questions. That is by
way of saying that it will be a while until the ones we did started
showing up on tests, and even longer before similar ones started
showing up in prep guides and sample question lists.

- As an ISC(2) prep seminar instructor, I was irritated with the
seminar material and apparent lack of currency of a lot of the sample
questions that were showing up in prep guides and sample question
lists. I got in deep trouble for criticizing the seminar material...
That aside, we always told students to be wary of the prep guides and
sample question lists. The thing that we always said about the
currency of questions is that the questions in the DB were
necessarily NOT current, as there is no way to keep them all "on the
edge" and there is a need to have a historical perspective. One
problem is the literature.  All questions have to have multiple
literature references. All questions have to be answerable by
"qualified candidates for certification" who supplement their
knowledge and experience with study, but is not expected to be an
expert in every domain. Therein lies the trick. What is reasonable to
expect a person with minimal experience and a bit of study to know?...

One thing, we should make sure that we have the question writing
guidelines from the ISC(2). I have not looked at them in a while.

Sorry to babble on...


At 2:28 PM -0500 10/1/06, Robert Sullivan wrote:
I'm putting an agenda together for a meeting 10/17.

A while back one persuasive fellow pointed out that the CISSP
questions in the Application Security domain were out of date and
didn't reflect current practice. That was especially true with
respect to Web Application Security.

Since it's easy to write and submit items for CISSP I think we should
take 30 min. at our next meeting to write some exam items relating to
web app security. I can bring the item submission guidelines other
could bring reference works to cite and we could work in groups.

Hey, for any of the open-source efforts to work we need to give back
and this seems like with our experience it would be simple and
produce excellent items.

What do you all think?
Bob Sullivan

More information about the Owasp-twincities mailing list