| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AANLkTi=+t=7LjJB6e01RRtDu-Orprv3qf3gWJU0FLYH2@mail.gmail.com> Date: Sat, 5 Feb 2011 16:33:27 -0500 From: Shawn Merdinger <shawnmer@...il.com> To: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Fred B. Schneider testimony on Cybersecurity Credentials Testimony of Fred B. Schneider Samuel B. Eckert Professor of Computer Science Cornell University, Ithaca, New York February 19, 2010 http://www.cs.cornell.edu/fbs/publications/SciPolicyHouseArmedServsFeb2010.pdf <snip> A Cybersecurity Credential. Most professions expect their practitioners to have a credential before they are allowed to practice. But I believe that credentials by themselves are not the solution. At best, they are a symptom of a solution. For example, you might hope that a credentialed individual would engage in best practices. But hope is all you can do. Possession of a credential does not by itself compel the use of best practices, and it is easy to imagine credentialed system builders cutting corners by choice (such as out of laziness) or by mandate (such as from management trying to cut costs). Also, the value of a credential depends on the institutions that define what content must be mastered to obtain the label. To whom should society be willing to vest that responsibility? How do we ensure that the content and standards enshrined by the credential have been selected based entirely on society’s best interests rather than financial gain or commercial advantage? In a fast moving field, content will change rapidly. The credentialing process must keep up, as must credential holders. Otherwise, credentials impede the spread of innovation because people who employ practices learned for a credential are soon engaging in outdated methods. So a credentialing scheme must take this into account. We are not the first group of professionals to face these problems. Credentialing schemes that the legal and medical professions use, for example, seem to serve society well. Therefore, it would be wise to understand the particulars of those credentialing processes before endeavoring to create one for producers of trustworthy systems. I see three elements as being crucial to the success of these extant schemes: • Obtaining a credential requires far more than passing an examination. To earn a credential, a candidate undertakes years of post-bachelors education, in which the curriculum has been set by the most respected thinkers and practitioners in the field. • Credential holders are required to stay current with the latest developments in the field by continuing their education through courses sanctioned by the institution that issues credentials. • The threat of legal action to individuals (including malpractice litigation) incentivizes professionals to engage in best practices. In sum, using exams to create labels for our workforce might sound like a way to get more trustworthy systems, but it’s not. To have the desired effect, a credential must bestow obligations and responsibilities on practitioners. Moreover, curriculum and educational programs—not an exam—are central to the enterprise. </snip> Cheers, --scm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists