[prev in list] [next in list] [prev in thread] [next in thread]
List: websecurity
Subject: Fwd: [WEB SECURITY] Web app security certifications and course
From: nagiosnagios nagios <nagios.nagiosnagios () gmail ! com>
Date: 2011-01-10 13:28:59
Message-ID: AANLkTim4pGR6m5YLY4HtULOw8MJFkrAXWmhEN-+9uXN1 () mail ! gmail ! com
[Download RAW message or body]
Thank you all for the feedback, you can't imagine how helpful it is for me
since I am starting now.
Unfortunately I don't have any development experience, I always had the
doubt that I could make it in the web app security field without this
knowledge. I've worked with a lot of people in the IT security field, and I
CAN single out those who come from coding/development background. They are
always stronger.
If this is what it take to excel in this field so be it. Maybe I'll start
"reading" code.
If you have any further advice I'll be happy to know.
Thanks all,
Josh
-----Original Message-----
From: arian.evans@gmail.com [mailto:arian.evans@gmail.com] On Behalf Of
Arian J. Evans
Sent: Wednesday, January 05, 2011 11:08 PM
To: nagiosnagios nagios; websecurity@webappsec.org
Subject: Re: [WEB SECURITY] Web app security certifications and course
Perhaps I failed to stress the value of programming experience enough,
but I fully agree with Tasos.
Also - Jim Manico corrected me on one point below. When I referred to
Java Sandbox privs, I should have said:
If the university appsec program's material is *primarily* focused
around "principle of least privilege", java security sandbox
privileges, or some other (even worse) old-school La Padula-like
complex privilege model - walk away, unless you plan to work for a
classified government security agency. That stuff is tertiary at best,
not how the real world works, and if that is the focus of the courses
(as has been the case in several programs I have looked at) walk away.
The current Java Security Manager provides low level defenses against
specific threats. That is above my rank in JavaLand and I refer to Jim
Manico of OWASP Podcast and ESAPI fame for further details.
Best,
---
Arian Evans
On Wed, Jan 5, 2011 at 12:19 PM, Tasos Laskos <tasos.laskos@gmail.com>
wrote:
> Hi Josh,
>
> Arian's reply covered pretty much all the basis, as usual, however I
> feel the need to stress one aspect of his reply even more.
>
> I hope that I don't offend anyone but in order to have a solid grasp on
> any IT Security field you will need to have a development background on
> that particular field.
>
> In this case it would be web development.
> You need to understand how something works in order to assess if it's
> working properly or not.
>
> Also, as Arian suggested, try writing a security related utility, it'll
> be an invaluable experience.
> If you don't have the time you can just look into existing software to
> get an idea of how they work.
> For example: Skipfish, w3af, my own <advertisement censored>, etc...
>
> I realize that I've gone way off-topic and my reply may put you off if
> you don't already have a dev background but the truth is that no course
> will take you through all that.
>
>
> I personally am in a quite respected and highly regarded MSc IT security
> program and hand on heart the teaching material doesn't even come close
> to the knowledge you gain from dev experience and independent research.
> (Which is something that the people who run the program have realized
> and have allocated half the course's time for the post-grad project.)
>
> Don't get me wrong, a good course can be a very good starting point but
> it's mostly that.
>
> Finally, if you've already gone through all of the above and you just
> need a cert to show to managers/HR then pardon me for wasting your time.
>
> Cheers,
> Tasos.
>
> On Tue, 2011-01-04 at 18:57 -0800, Arian J. Evans wrote:
>> Hello Josh. Good question. Unfortunately for you - not a lot of good
>> resources on the web to find out where to start. However, there are
>> many free resources to learn.
>>
>> University programs are cropping up all over with Web App Security
>> coursework. Some are hopelessly out of touch with the real world, but
>> an increasing number are solid. If they try to teach you about the
>> Java security sandbox permissions, or mention LaPadula, move on. They
>> are wasting your time.
>>
>> In California - Berkley has a solid program. Stanford and UC Santa
>> Cruz have produced some very bright students/projects in this area, so
>> I imagine they have something going on there. I went up to check out
>> Stanford's program once, but the professors were talking theoretical,
>> inaccurate blather so I had to leave. Berkley seemed more
>> reality-grounded. In fact, this may be the only thing reality-grounded
>> in Berkley, CA.
>>
>> There are some other "normal" aka affordable state colleges with
>> programs too. Let me ask around at work and I'll get back to you if I
>> get some more names.
>>
>> However - you don't need a university program if you can self-educate,
>> and you can read and write code. (if not, start there)
>>
>> Read webappsec.org, owasp. org, and purchase The Web Application
>> Hacker's Handbook. Daf and Marcus still have the best book out on
>> testing web apps:
>>
>>
http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/04701=
70778/
>>
>> There is enough material on those two websites and in the above book
>> to learn your "masters" in webpapsec.
>>
>> Another effective method of learning is to volunteer to be the
>> security patch person for an open-source project. Help them find and
>> fix their security holes.
>>
>> As for certs....I haven't seen a certification with any value in this
>> area yet. I find that training and certifications that are not
>> created/performed by developers tend to have little value. So,
>> research who made them before taking one.
>>
>> The ISC CSSLP material, for example, does not look like it was created
>> from a development background or based upon real-world experience. Put
>> bluntly their mantra "=93Security Transcends Technology=94 is as vapid a=
s
>> the material. For example - some of it treats security as a Feature.
>> Some security items may be features, but treating security overall as
>> a feature usually leads to failure. Security is a property measured by
>> outcomes: It is an emergent behavior of your running software. So no,
>> I would not recommend the ISC2 stuff.
>>
>> The SANS secure coding course and material should be solid. Frank Kim,
>> who runs the SANS secure coding program, is very smart and also a
>> developer. However, I have not seen any of the SANS course material
>> for any of their webappsec classes. So, I can only guess at the
>> quality.
>>
>> While I am a big fan of SANS training - personally, I don't think much
>> of certs. I've never found them useful in hiring, and I find that the
>> majority of folks with longs strings of them after their names aren't
>> very capable or competent. But, many large corporations have HR
>> departments that use them for filtering resumes. So, if you get 800
>> resumes for a position, certs have some value in playing Resume Pile
>> Survivor.
>>
>> --
>>
>> This is an exciting time to get into the field, Josh.
>>
>> Not many people in the world have figured out how to effectively
>> secure web applications, let alone the SDLC. There are people that
>> claim to know how to secure the SDLC, and even write books on secure
>> applications. However, if we judge the results by the outcomes of
>> software that goes through these "expert security processes" - the
>> outcomes still aren't very good. Most web software released is
>> consistently vulnerable, exploitable, and has new vulnerabilities over
>> time.
>>
>> So - we are all still learning. And there are huge opportunities for
>> improvement.
>>
>> Great time to dig in and join the effort. I would grab some books,
>> start reading, and write some secure code, or write a webappsec tool
>> like some on this list have done. Search this list for Tasos' posts
>> this year for example. If you do that - you'll do fine. Unless you
>> really need to spend your money on a Masters Degree,
>>
>> ---
>> Arian Evans
>> Somewhat of a Software Security Sophist
>>
>>
>>
>> On Sun, Jan 2, 2011 at 12:42 PM, <jacorream@gmail.com> wrote:
>> > I recomend the (ISC)2's Certified Secure Software Lifecycle
Professional
>> > (CSSLP), it's a great option.
>> >
>> > Enviado desde mi BlackBerry de Movistar
>> >
>> > ________________________________
>> > From: nagiosnagios nagios <nagios.nagiosnagios@gmail.com>
>> > Date: Sun, 2 Jan 2011 12:01:32 +0200
>> > To: <websecurity@webappsec.org>
>> > Subject: [WEB SECURITY] Web app security certifications and course
>> > Hi list,
>> > Please share with me your professional advice. Am looking for a
>> > course/certification or MA degree in web application security. What ar=
e
the
>> > best options out there?
>> > Thank you all
>> > Josh
>>
>>
---------------------------------------------------------------------------=
-
>> Join us on IRC: irc.freenode.net #webappsec
>>
>> Have a question? Search The Web Security Mailing List Archives:
>> http://www.webappsec.org/lists/websecurity/archive/
>>
>> Subscribe via RSS:
>> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>>
>> To unsubscribe email websecurity-unsubscribe@webappsec.org and reply to
>> the confirmation email
>>
>> Join WASC on LinkedIn
>> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>>
>> WASC on Twitter
>> http://twitter.com/wascupdates
>>
>
>
>
>
---------------------------------------------------------------------------=
-
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> To unsubscribe email websecurity-unsubscribe@webappsec.org and reply to
> the confirmation email
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
>
---------------------------------------------------------------------------=
-
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
To unsubscribe email websecurity-unsubscribe@webappsec.org and reply to
the confirmation email
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
[Attachment #3 (text/html)]
<div class="gmail_quote">Thank you all for the feedback, you can't imagine how \
helpful it is for me since I am starting now.<br> <br>
Unfortunately I don't have any development experience, I always had the doubt \
that I could make it in the web app security field without this knowledge. I've \
worked with a lot of people in the IT security field, and I CAN single out those who \
come from coding/development background. They are always stronger.<br>
<br>
If this is what it take to excel in this field so be it. Maybe I'll start \
"reading" code.<br> <br>
If you have any further advice I'll be happy to know.<br>
<br>
Thanks all,<br>
Josh<br>
<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:arian.evans@gmail.com">arian.evans@gmail.com</a> [mailto:<a \
href="mailto:arian.evans@gmail.com">arian.evans@gmail.com</a>] On Behalf Of Arian J. \
Evans<br>
Sent: Wednesday, January 05, 2011 11:08 PM<br>
To: nagiosnagios nagios; <a \
href="mailto:websecurity@webappsec.org">websecurity@webappsec.org</a><br>
Subject: Re: [WEB SECURITY] Web app security certifications and course<br>
<br>
Perhaps I failed to stress the value of programming experience enough,<br>
but I fully agree with Tasos.<br>
<br>
Also - Jim Manico corrected me on one point below. When I referred to<br>
Java Sandbox privs, I should have said:<br>
<br>
If the university appsec program's material is *primarily* focused<br>
around "principle of least privilege", java security sandbox<br>
privileges, or some other (even worse) old-school La Padula-like<br>
complex privilege model - walk away, unless you plan to work for a<br>
classified government security agency. That stuff is tertiary at best,<br>
not how the real world works, and if that is the focus of the courses<br>
(as has been the case in several programs I have looked at) walk away.<br>
<br>
The current Java Security Manager provides low level defenses against<br>
specific threats. That is above my rank in JavaLand and I refer to Jim<br>
Manico of OWASP Podcast and ESAPI fame for further details.<br>
<br>
Best,<br>
<br>
---<br>
Arian Evans<br>
<br>
<br>
<br>
On Wed, Jan 5, 2011 at 12:19 PM, Tasos Laskos <<a \
href="mailto:tasos.laskos@gmail.com">tasos.laskos@gmail.com</a>> wrote:<br> > \
Hi Josh,<br> ><br>
> Arian's reply covered pretty much all the basis, as usual, however I<br>
> feel the need to stress one aspect of his reply even more.<br>
><br>
> I hope that I don't offend anyone but in order to have a solid grasp on<br>
> any IT Security field you will need to have a development background on<br>
> that particular field.<br>
><br>
> In this case it would be web development.<br>
> You need to understand how something works in order to assess if it's<br>
> working properly or not.<br>
><br>
> Also, as Arian suggested, try writing a security related utility, it'll<br>
> be an invaluable experience.<br>
> If you don't have the time you can just look into existing software to<br>
> get an idea of how they work.<br>
> For example: Skipfish, w3af, my own <advertisement censored>, etc...<br>
><br>
> I realize that I've gone way off-topic and my reply may put you off if<br>
> you don't already have a dev background but the truth is that no course<br>
> will take you through all that.<br>
><br>
><br>
> I personally am in a quite respected and highly regarded MSc IT security<br>
> program and hand on heart the teaching material doesn't even come close<br>
> to the knowledge you gain from dev experience and independent research.<br>
> (Which is something that the people who run the program have realized<br>
> and have allocated half the course's time for the post-grad project.)<br>
><br>
> Don't get me wrong, a good course can be a very good starting point but<br>
> it's mostly that.<br>
><br>
> Finally, if you've already gone through all of the above and you just<br>
> need a cert to show to managers/HR then pardon me for wasting your time.<br>
><br>
> Cheers,<br>
> Tasos.<br>
><br>
> On Tue, 2011-01-04 at 18:57 -0800, Arian J. Evans wrote:<br>
>> Hello Josh. Good question. Unfortunately for you - not a lot of good<br>
>> resources on the web to find out where to start. However, there are<br>
>> many free resources to learn.<br>
>><br>
>> University programs are cropping up all over with Web App Security<br>
>> coursework. Some are hopelessly out of touch with the real world, but<br>
>> an increasing number are solid. If they try to teach you about the<br>
>> Java security sandbox permissions, or mention LaPadula, move on. They<br>
>> are wasting your time.<br>
>><br>
>> In California - Berkley has a solid program. Stanford and UC Santa<br>
>> Cruz have produced some very bright students/projects in this area, so<br>
>> I imagine they have something going on there. I went up to check out<br>
>> Stanford's program once, but the professors were talking \
theoretical,<br> >> inaccurate blather so I had to leave. Berkley seemed \
more<br> >> reality-grounded. In fact, this may be the only thing \
reality-grounded<br> >> in Berkley, CA.<br>
>><br>
>> There are some other "normal" aka affordable state colleges \
with<br> >> programs too. Let me ask around at work and I'll get back to \
you if I<br> >> get some more names.<br>
>><br>
>> However - you don't need a university program if you can \
self-educate,<br> >> and you can read and write code. (if not, start there)<br>
>><br>
>> Read <a href="http://webappsec.org" target="_blank">webappsec.org</a>, \
owasp. org, and purchase The Web Application<br> >> Hacker's Handbook. Daf \
and Marcus still have the best book out on<br> >> testing web apps:<br>
>><br>
>> <a href="http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/" \
target="_blank">http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/</a><br>
>><br>
>> There is enough material on those two websites and in the above book<br>
>> to learn your "masters" in webpapsec.<br>
>><br>
>> Another effective method of learning is to volunteer to be the<br>
>> security patch person for an open-source project. Help them find and<br>
>> fix their security holes.<br>
>><br>
>> As for certs....I haven't seen a certification with any value in \
this<br> >> area yet. I find that training and certifications that are not<br>
>> created/performed by developers tend to have little value. So,<br>
>> research who made them before taking one.<br>
>><br>
>> The ISC CSSLP material, for example, does not look like it was created<br>
>> from a development background or based upon real-world experience. Put<br>
>> bluntly their mantra "“Security Transcends Technology” is as vapid \
as<br> >> the material. For example - some of it treats security as a \
Feature.<br> >> Some security items may be features, but treating security \
overall as<br> >> a feature usually leads to failure. Security is a property \
measured by<br> >> outcomes: It is an emergent behavior of your running \
software. So no,<br> >> I would not recommend the ISC2 stuff.<br>
>><br>
>> The SANS secure coding course and material should be solid. Frank Kim,<br>
>> who runs the SANS secure coding program, is very smart and also a<br>
>> developer. However, I have not seen any of the SANS course material<br>
>> for any of their webappsec classes. So, I can only guess at the<br>
>> quality.<br>
>><br>
>> While I am a big fan of SANS training - personally, I don't think \
much<br> >> of certs. I've never found them useful in hiring, and I find \
that the<br> >> majority of folks with longs strings of them after their names \
aren't<br> >> very capable or competent. But, many large corporations have \
HR<br> >> departments that use them for filtering resumes. So, if you get \
800<br> >> resumes for a position, certs have some value in playing Resume \
Pile<br> >> Survivor.<br>
>><br>
>> --<br>
>><br>
>> This is an exciting time to get into the field, Josh.<br>
>><br>
>> Not many people in the world have figured out how to effectively<br>
>> secure web applications, let alone the SDLC. There are people that<br>
>> claim to know how to secure the SDLC, and even write books on secure<br>
>> applications. However, if we judge the results by the outcomes of<br>
>> software that goes through these "expert security processes" - \
the<br> >> outcomes still aren't very good. Most web software released \
is<br> >> consistently vulnerable, exploitable, and has new vulnerabilities \
over<br> >> time.<br>
>><br>
>> So - we are all still learning. And there are huge opportunities for<br>
>> improvement.<br>
>><br>
>> Great time to dig in and join the effort. I would grab some books,<br>
>> start reading, and write some secure code, or write a webappsec tool<br>
>> like some on this list have done. Search this list for Tasos' posts<br>
>> this year for example. If you do that - you'll do fine. Unless you<br>
>> really need to spend your money on a Masters Degree,<br>
>><br>
>> ---<br>
>> Arian Evans<br>
>> Somewhat of a Software Security Sophist<br>
>><br>
>><br>
>><br>
>> On Sun, Jan 2, 2011 at 12:42 PM, <<a \
href="mailto:jacorream@gmail.com">jacorream@gmail.com</a>> wrote:<br> >> \
> I recomend the (ISC)2's Certified Secure Software Lifecycle Professional<br> \
>> > (CSSLP), it's a great option.<br> >> ><br>
>> > Enviado desde mi BlackBerry de Movistar<br>
>> ><br>
>> > ________________________________<br>
>> > From: nagiosnagios nagios <<a \
href="mailto:nagios.nagiosnagios@gmail.com">nagios.nagiosnagios@gmail.com</a>><br> \
>> > Date: Sun, 2 Jan 2011 12:01:32 +0200<br> >> > To: <<a \
href="mailto:websecurity@webappsec.org">websecurity@webappsec.org</a>><br> \
>> > Subject: [WEB SECURITY] Web app security certifications and course<br> \
>> > Hi list,<br> >> > Please share with me your professional \
advice. Am looking for a<br> >> > course/certification or MA degree in web \
application security. What are the<br> >> > best options out there?<br>
>> > Thank you all<br>
>> > Josh<br>
>><br>
>> ----------------------------------------------------------------------------<br>
>> Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> >><br>
>> Have a question? Search The Web Security Mailing List Archives:<br>
>> <a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> \
>><br> >> Subscribe via RSS:<br>
>> <a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> \
>><br> >> To unsubscribe email <a \
href="mailto:websecurity-unsubscribe@webappsec.org">websecurity-unsubscribe@webappsec.org</a> \
and reply to<br> >> the confirmation email<br>
>><br>
>> Join WASC on LinkedIn<br>
>> <a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> >><br>
>> WASC on Twitter<br>
>> <a href="http://twitter.com/wascupdates" \
target="_blank">http://twitter.com/wascupdates</a><br> >><br>
><br>
><br>
><br>
> ----------------------------------------------------------------------------<br>
> Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> ><br>
> Have a question? Search The Web Security Mailing List Archives:<br>
> <a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> ><br>
> Subscribe via RSS:<br>
> <a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> \
><br> > To unsubscribe email <a \
href="mailto:websecurity-unsubscribe@webappsec.org">websecurity-unsubscribe@webappsec.org</a> \
and reply to<br> > the confirmation email<br>
><br>
> Join WASC on LinkedIn<br>
> <a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> ><br>
> WASC on Twitter<br>
> <a href="http://twitter.com/wascupdates" \
target="_blank">http://twitter.com/wascupdates</a><br> ><br>
><br>
<br>
----------------------------------------------------------------------------<br>
Join us on IRC: <a href="http://irc.freenode.net" \
target="_blank">irc.freenode.net</a> #webappsec<br> <br>
Have a question? Search The Web Security Mailing List Archives:<br>
<a href="http://www.webappsec.org/lists/websecurity/archive/" \
target="_blank">http://www.webappsec.org/lists/websecurity/archive/</a><br> <br>
Subscribe via RSS:<br>
<a href="http://www.webappsec.org/rss/websecurity.rss" \
target="_blank">http://www.webappsec.org/rss/websecurity.rss</a> [RSS Feed]<br> <br>
To unsubscribe email <a \
href="mailto:websecurity-unsubscribe@webappsec.org">websecurity-unsubscribe@webappsec.org</a> \
and reply to<br> the confirmation email<br>
<br>
Join WASC on LinkedIn<br>
<a href="http://www.linkedin.com/e/gis/83336/4B20E4374DBA" \
target="_blank">http://www.linkedin.com/e/gis/83336/4B20E4374DBA</a><br> <br>
WASC on Twitter<br>
<a href="http://twitter.com/wascupdates" \
target="_blank">http://twitter.com/wascupdates</a><br> <br>
<br>
<br>
</div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic