I am way behind on my security podcast listening and I just listened to an OWASP podcast that discussed Gunnar Peterson's post recommending the book Enterprise Application Architecture by Martin Fowler. A former manager who is now an enterprise architect thought it was a good book, but it was interesting to see it recommended by a security professional.
This raised the thought in my mind about whether it was easier for a developer to learn security or a security professional to learn development. I am definitely biased (since I come from a strong development background), but I think training a developer is easier. I have taught so many programming classes where people struggled with simple loops and conditional structures that I am convinced it takes a mindset to understand development.
I do have a hard time understanding how people can't understand it, since I took right too it, but I know not everyone finds it as straightforward as I did. It is like the struggles I had with chemistry lab in college. I did well, but I never could get the results within the "A" range (though I could ace the tests) no matter how much effort I put into it. Physical chemistry is not my strength. In the same way, some people struggle with understanding key programming concepts.
I did have some experience with system administration; including work on Mac, Windows and Unix, though I never worked as a sysadmin. Putting in your own ISDN line did take some technical chops, since it required so much manual configuration at the time, so perhaps I am not the "pure developer" I think.
Interesting question, though we probably need to focus on training developers on security regardless, since a lot more developers are out there. We don't have enough security people to go around to get really strong application security, if we can ever reach that goal as a society.
Brad
Tuesday, October 13, 2009
Friday, September 25, 2009
Independent Security Researcher
At the end of August I took a generous buyout package from my employer and I am now an independent security researcher, whatever that means. I am planning on focusing on development security, since that fits really well with my background, but I am also quite interested in compliance issues and I believe my PCI experience is worth using in the marketplace today.
I am not looking for anything specific now, enjoying a slightly longer break than I have had in some time, but I am now starting to dig into things. I plan on doing some work with OWASP in some manner, but let me know if you have an ideal opportunity.
I would love to get my PhD now, so also let me know if you know of a good place I could craft a unique program, learn some more, contribute and have fun. I am hoping to not relocate from the Dallas area anytime soon, but I am open to travel as needed.
Brad
I am not looking for anything specific now, enjoying a slightly longer break than I have had in some time, but I am now starting to dig into things. I plan on doing some work with OWASP in some manner, but let me know if you have an ideal opportunity.
I would love to get my PhD now, so also let me know if you know of a good place I could craft a unique program, learn some more, contribute and have fun. I am hoping to not relocate from the Dallas area anytime soon, but I am open to travel as needed.
Brad
CISM Passed
I took this test in June and I was not at all sure I passed. The questions are much less clear cut than I prefer, carrying a lot of thought underneath what is written. At least that is my opinion.
My CISM test reminded me of a Probability and Statistics test I took in college. I had gotten A grades in math through Differential Equations prior to that, so math was not the problem (for me). I was just having a harder time wrapping my mind around the concepts in the class, which went beyond basic "rolls of the die" probability. I came out of a 4 question test knowing I missed 2 questions and feeling I had only partially passed 1. I figured I failed my first math test. I ended up getting a B on the test, likely because everyone else struggled.
That is what my CISM felt like. I passed, even though it didn't feel like I would at the time. Lots of people knew I would do well, since passing tests is fairly easy for me, but I suspect it is my hatred of not doing excellently that threw me off. :)
Now I just need to get all the paperwork into them. I was waiting for confirmation of my degree, which I just got in a letter from my college. I will get that out soon and just have to wait for everything to process.
Brad
My CISM test reminded me of a Probability and Statistics test I took in college. I had gotten A grades in math through Differential Equations prior to that, so math was not the problem (for me). I was just having a harder time wrapping my mind around the concepts in the class, which went beyond basic "rolls of the die" probability. I came out of a 4 question test knowing I missed 2 questions and feeling I had only partially passed 1. I figured I failed my first math test. I ended up getting a B on the test, likely because everyone else struggled.
That is what my CISM felt like. I passed, even though it didn't feel like I would at the time. Lots of people knew I would do well, since passing tests is fairly easy for me, but I suspect it is my hatred of not doing excellently that threw me off. :)
Now I just need to get all the paperwork into them. I was waiting for confirmation of my degree, which I just got in a letter from my college. I will get that out soon and just have to wait for everything to process.
Brad
I Passed My GCIA Exam!
It took me much longer than it should have, but the wait was worthwhile! I still want to master the material more, but I scored a 94% on the test!
I am now studying for the G7799 and GSNA, which I got the books for almost 2 years ago. I think they should be up to date enough to pass the test and I want to get that wrapped up. Hopefully I can challenge the GSE-C next year, but that depends on whether it is offered or not. :)
Brad
I am now studying for the G7799 and GSNA, which I got the books for almost 2 years ago. I think they should be up to date enough to pass the test and I want to get that wrapped up. Hopefully I can challenge the GSE-C next year, but that depends on whether it is offered or not. :)
Brad
Saturday, June 13, 2009
Took the CISM Today!
I took the CISM today. I almost had a "stupid tax" and would remind everyone to sign up for the CISA/CISM/CGEIT with your name exactly as it is on your government ID. I go by my middle name and that almost bit more for the test. Fortunately, I passed the id check fine.
The test itself is a real pain. I primarily used the computer-based questions they sell. I was doing really well on those prior to the test, but the test has too many that are fairly different that it is dangerous to rely just on those.
In fact, I found many of the questions to be very vague and hard to nail down. My experience with the computer-based questions was that they sometimes leave clarifying words out, making for a fuzzy meaning at times. I learned which questions did this, but several on the real test seemed to repeat this pattern, making this a very frustrating experience.
This makes me uncertain whether I passed or not. I finished it in less than 2 hours, but I was uncertain about enough of them that I am not sure how well I did. I could see just going on either side of the pass and fail line or failing spectacularly based on my trouble with reading their intent with many of the questions.
In addition to the fuzziness, I found that I disagreed with some of the questions in the computer practice. I hope I had their mindset when I was taking the test today, but I am not sure.
Blech.
Brad
The test itself is a real pain. I primarily used the computer-based questions they sell. I was doing really well on those prior to the test, but the test has too many that are fairly different that it is dangerous to rely just on those.
In fact, I found many of the questions to be very vague and hard to nail down. My experience with the computer-based questions was that they sometimes leave clarifying words out, making for a fuzzy meaning at times. I learned which questions did this, but several on the real test seemed to repeat this pattern, making this a very frustrating experience.
This makes me uncertain whether I passed or not. I finished it in less than 2 hours, but I was uncertain about enough of them that I am not sure how well I did. I could see just going on either side of the pass and fail line or failing spectacularly based on my trouble with reading their intent with many of the questions.
In addition to the fuzziness, I found that I disagreed with some of the questions in the computer practice. I hope I had their mindset when I was taking the test today, but I am not sure.
Blech.
Brad
Saturday, June 6, 2009
I Helped Someone Earn Their GSEC Certification!
I was very excited to find out recently that one of the students in my SANS SEC 401 class passed the GSEC certification that is tied to the course! While I loved our interaction throughout the course, it is great to know that not only did we all learn something over the course of our time together, someone learned enough to earn a very challenging certification!
I won't announce their name here, but I would say an open congratulations and encourage everyone else to consider that same path. The course material is great by itself, but studying for the certification is a great way to solidify the material and also earn something to prove your knowledge at the same time!
Brad
I won't announce their name here, but I would say an open congratulations and encourage everyone else to consider that same path. The course material is great by itself, but studying for the certification is a great way to solidify the material and also earn something to prove your knowledge at the same time!
Brad
SANS 401 - Security Essentials - Mentored Course in December 2009
While it is not completely official yet, I believe I will be doing another SANS Mentored class covering their Security Essentials material late this 2009 and early 2010. It is great material that covers things anyone working in the information security field should know.
Contact me if you live in the Dallas-Fort Worth area and would be interested in attending this course. Also let me know if you have a group that would be interested in a more custom approach. I would be open to doing a more targeted class once I am back on my own in the fall!
This stuff is fun and I love working with others to master it.
Brad
Contact me if you live in the Dallas-Fort Worth area and would be interested in attending this course. Also let me know if you have a group that would be interested in a more custom approach. I would be open to doing a more targeted class once I am back on my own in the fall!
This stuff is fun and I love working with others to master it.
Brad
Subscribe to:
Posts (Atom)
