Sunday, May 10, 2009

CSSLP for Me!

I don't think I have mentioned it here yet: I qualified for the CSSLP, the new secure development cert from ISC2, the "makers" of the CISSP. (I still need to get going on that. Too many SANS certs have gotten in the way....)

Whether it is worthwhile may be questionable, but I figure it fits a significant part of what I am working on now (secure development) and is worth adding to my list.

Now I finally have to keep track of all the CPEs for ISSA and other such meetings!


Sunday, May 3, 2009

OWASP Source Code Flaws Top 10 Project

I have made my first contribution to OWASP! I tweaked the language for the OWASP Source Code Flaws Top 10 Project last week. I came across this while following the general OWASP Code Review email list and figured I could help make it read better. It feels a bit arrogant to say, "I know how to say it better," but I believe that is the way things work.

I haven't heard anything either way, but I am assuming it is OK. :)

Hopefully this is the start of a good trend!


A Security Career

I have been thinking more about the future career options I have. I don't want to move now, but I want to make sure I am ready for whatever I do want to go in the future. It is a common problem in any field: Once you get near the top you have a harder time advancing further.

Some career paths are obvious. If you want to go into a specific operation security area, like network security or related things, you should probably focus on enhancing the skills that help you be better at whatever you are doing.

Unfortunately, I didn't come to security from the sysadmin route. I had over 20 years of software development (and general analysis) before I started full time in information security. This may be placing me really well for working in the growing area of application security, but even that has a lot of possible different focus areas.

I am also very interested in risk, compliance, policy and security awareness. While these all could relate to development security, they are not necessarily tied to that. Figuring out the route is my challenge now. I want to know everything, but I can only learn so many things.

This is not as refined as I would like, but I wanted to put out some thoughts to build on later. I plan on writing about this more and I have thought of working in this area with either the local ISSA chapter or OWASP.