It’s been one of those weeks. You all know them, too much to do, not enough time. What compounded the week was it kicked off at 42°C which left me with one hell of a headache.

So Alex and Mike have posted a couple of blog entries on certifications. Starting with Alex on ISACA’s CRISC (posts 1 and 2) – he’s pretty clear on why he believes it’s a bad idea, slightly different to what my thoughts were the other day but definitely valid, I won’t do them justice summarising so just visit the posts.

Mike (now over at Securosis – ‘grats) expands on Alex’s posts and looks at info sec certifications in general starting with what would motivate people to acquire a certification, then slowly stripping away those motivations.

I also wanted to highlight another well rounded post from some other local boys. Whilst there have been lots of things posted about the secure way to social network, particularly in this highly connected Twitterised, Facebook life we live, I found this post on how you should look at your behaviour and practices on Facebook nice and succinct. Good work guys, we need more Perth people blogging on information security.

I’m surprised it took ISACA (or ISC^2 or maybe FAIR) this long to create an information risk certification. The first question that we asked when we saw this was “well what about all the other risk certifications, how is this different?” I immediately responded with how those other certifications or qualifications have been around for a long time, the disciplines they are based on are mature, whilst information risk on the other hand is still in its infancy. In addition, most of the existing certifications are based on financial risk.

Current tweets on the topic don’t appear positive, and until ISACA release some more information, or any information, I would tend to agree. Thinking about how such a certification may make an impact within my workplace my mind drew blanks. I mean will it make the people who perform risk assessments any better at it? Probably not. Will it increase their accuracy? I don’t think so. Would it make the people receiving the outputs of these risk assessments trust their output more? Probably not.

It wasn’t until I got home and started thinking about this post and re-reading the material before I realised that the certification appears more control based than risk based. (Emphasis placed by me)

The Certified in Risk and Information Systems Control™ certification (CRISC™, pronounced “see-risk”) is intended to recognize a wide range of professionals for their knowledge of enterprise risk and their ability to design, implement, monitor, and maintain IS controls to mitigate such risk.

I think this highlights some of the core issues with this certification. Knowledge of enterprise risk is something that is refined with time and experience. It’s a complex and almost completely people & process driven exercise. A certification will not help the people side of this exercise, you can’t get experience through a certification.

Therefore an IS risk certification’s strength relies on its ability to bolster the process not the person, but most of the current wordings appear to indicate that the certification is about designing, implementing, monitoring controls. This to me sounds like a mashup of a security architecture certification (SABSA perhaps?) and security operational certifications (with a splash of GIAC).

Regardless of all this, I think there will be a flurry of activity within the industry around April when ISACA open up the certification to the grandfathering program. I mean if you already do this in your job why not acquire this cert without having to sit an exam? We all have the experience, we’ve been doing risk assessments since we started to walk, followed swiftly by advising the business of why they shouldn’t do stupid thing X. If we can’t actually get more objective with our assessments, at least the certification will give the appearance of being more objective. Win win!

Well ‘10 has started off with a bang and already I’m trying to clear my head and set a vision for what I’d like to personally and professionally accomplish in the next 12 months. Looking back over what I was hoping to achieve in 2009 I can safely say that in the past 12 months within my info sec sphere of fun (mostly work – but also elsewhere such as the Perth OWASP Chapter) I’ve achieved what I’ve hoped to, primarily that of raising awareness of security issues, in particular those found due to issues within the software development lifecycle.

Personally 2010 will bring the following (this is not a wish list, this is a todo list):

• Purchase a house (Ten and I are got an offer accepted on the 30th of Dec so this is done and dusted – I can’t really explain how exciting this is, but it’s definitely the biggest thing to happen in my life and I’m so thrilled that Ten and I are doing this!)
• Spend more time honing my music skills (This is drumming skills, not SingStar skills. I’m already excited with what’s happening in Grenade Baby Lemonade, what with our 3 track EP on the way. In addition I’m going to also get started on another project *wink*)
• Cycle to work more

Professionally I’ll be focusing on working even more closely with development teams to truly embed security within the SDLC. This has already started with some fantastic engagements towards the tail of ‘09. The trick will be to not let up, not lose focus, to continue to make myself available to those who have queries and to package information that’s useful and not too bloated. It’s helpful that there is so much great information out there, including but certainly not exhaustively:

• Security Ninja’s Checklist Approach to Security Code Reviews
• Jeff Jones’ Post on Expanding SDL for Cloud and Agile Development
• Nick Coblentz’ material, including Observed Secure Software Development Stages
• And of course the Security Maturity Models, including OpenSAMM

Here’s to 2010! Hope everyone else started it as well as I have!

Cheers!

Today we announced our involvement with the Perth AISA Tech day:

Hi all,

Christian and I will be presenting a workshop on behalf of OWASP at the
Perth AISA tech day on Friday the 4th of December.
More information on the tech day (including online registration) can be
found here:
http://eventarc.com/view/95/inagrual-aisa-perth-technical-security-day

OWASP members are able to attend our session (and the other sessions) for
free. However, if you want free lunch and post-event drinks, you’ll need
to be an AISA member.

Hope to see you there.

Regards,
David

I’m really excited to be participating in the workshop and I’m sure that for the price you’re paying ($0) you won’t get better value for a technical, hands on web-security session. The hardest decision you’ll have to make is either attend the OWASP session or the Stratsec session (which focuses on building/designing secure web apps, whilst we’re focusing an assessing them). If only these were back to back as opposed to at the same time! Maybe next time this will be better.

If you have any questions jump on the Perth OWASP Mailing list or shoot me an email, twitter or leave a comment.

I have nothing to add to the great work that @irldexter and @wadeis have done here.

Read Drazen’s post now.

Just a tiny update to check that everyone had a fantastic Christmas and New Years break, and that everything is back to normal. I’ve done a little bit of housecleaning around here, changed to a new theme and removed my delicious links from the side bar. The truth is, since it’s become trivial to “Note in Reader”, there just isn’t any reason to use delicious any more.

The other thing that I’ve been finding myself use more and more each day is Twitter. I’ve been using the service since April last year and I still find myself using it. I’m limited in my use of the service during working hours, but I still find it a valuable tool to get a quick “feel” of the security industry and also it’s great at asking short questions to a very wide audience. You can twit me at @xntrik.

What’s coming up for Christian?
I’m organising a presentation for Perth’s AISA slash OWASP on security in the SDLC focusing on threat modelling. I’m hoping to provide an overview of a few methodologies being advertised by the industry for securing the SDLC, including MS’ SDL and OWASP’s own CLASP. The threat modelling section will probably focus on a more interactive session with the audience walking through a simple threat model scenario. The target audience I’m hoping for is developers, of course the room will probably be majority security folks. Ah well, hopefully they’ll be able to take the message back to their developers.

..hopefully.