software security certification - acsa) · 2019-07-16 · software security certification...
TRANSCRIPT
Software Security Certification
Symantec’s Experience
Cassio Goldschmidt, Sr. Manager
December 9th, 2009
2
The creation of CSSLP
• Convergence among all parties
• Excellent pool of talent from various industries in all meetings
– Independent Software Vendors
– Online Service Providers
– Financial Services Organizations
– Government Organizations
• Rigorous process to create questions
– Psychometrics
– Peer review
– Source requirements
• (ISC)2 proven track record creating certifications
2
Areas where CSSLP adds value
Effective way to educate current staff
• Historically, universities have not integratesecurity with CS education
• Certification maintenance requirements is a good idea
• Does not replace real world practice
– Diplomas do not replace the need for practice either
3
4
Areas where CSSLP adds value
Hiring
4
Old School New School
CSSLP
• One page resume • Keyword driven
• CISSP is already a keyword
5
Areas where CSSLP adds value
Hiring
5
Old School
• One page resume
New School
• Keyword driven
• CISSP is already a keyword
CSSLP
How do you tell a recruiter you need a
professional familiar with all the areas listed
below?
Security Principles
Security Requirements
Secure Software Design
Secure Coding
Secure Software Testing
Vulnerability management and response
The problem Symantec faces today
Most of our flaws are not in our code
Symantec Code54%
Open Source Third Party
46%
Security Incidents in 2009
DESIGN
& REQ.CODE TEST SUPPORT
The problem Symantec faces today
Merges & Acquisitions
7
What should a practitioner do when an
vulnerability is reported by a security
researcher?
How to assess risk?
How to deploy the fix?
How and when customers need to be informed?
What kind of process and techniques can help
to avoid vulnerabilities in the first place?
8
Symantec’s education and process
We don’t teach with certs in mind
8
9
Symantec’s education and process
We don’t teach with certs in mind
9
Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this
document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to
change without notice.
Thank You!
Cassio Goldschmidt
Sr. Manager, Product Security
Office of the CTO, Symantec Corporation