FW: My Frustrations

H.D. if you don't want clients checking up on postings then use a
pseudonym, preferably one that you hold a little close. I don't make
big deal about hiding behind this one. I jsut use it to show that my
postings are personal and not on behalf of my employer. Another
alternative to the issue is to have closed lists where the
participants are vetted. I'm on a few of those and they vary in
quality as well... go figure.

Putting on my non-moderator hat for a change...

Sometimes we forget that there are some 15k+ subscribed list members
with a wide range of backgrounds and expertise. From well-known experts
and practicing professional such as HD, Dave, Adriel, etc, to 13yr old
script kiddies or novices just interested in pen-testing in general.
I'm not ashamed to admit that my code analysis skills are weak and to
ask questions around that aspect or rely on advice from people like HD
and others who have a better grasp on those things. My expertise is
slanted towards other realms. That said, there are many posts I've let
through where it's apparent someone is in above their heads in an area
where they are representing themselves as a expert. As a moderator, my
job is to keep discussions flowing and relevant to pen-testing. As a
security professional, I shudder with horror at the things some people

As Adriel said, the real problem is when a supposed expert is looking
for help on something that is so basic that you wonder how they got the
contract at all. It devalues the work of the real experts and fosters a
false sense of security. The responses to such questions (qualification
issue aside) are useful for list members whose expertise or background
isn't in that particular area and spreads Clue to those readers. Lack
of knowledge isn't a bad thing, we're all here to learn _something_.
Misrepresenting your expertise I believe is a very Bad Thing... but it
happens and they land clients who are ill-served and might not realize

The only feasible solution I see is to educate clients so they can
tell the wheat from the chaff. How to do so across the industry is a
vexing question. I don't think regulatory bodies would work. I don't
think certifications work. They can be good indicators of actual
expertise but, as many others have pointed out, are not in and of
themselves guarantees of qualification for hands-on "doing the work".
So far there is no replacement for word of mouth.

Erin Carroll
CTO & Vice President | iVOLUTION Security Technologies

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


Relevant Pages

  • Re: [Full-Disclosure] IDS Evasion
    ... The following graphic was acquired during a recent penetration test ... However it helps illustrate the expertise of a certain crew of skilled ... leading researchers from our computer security community. ... The dog has certain ...
  • RE: Firewalls (was Re: IDS evaluations procedures)
    ... but having setup security systems ... And of course many of the early IDS problems burned a lot of people (too ... Struggling / What's after firewalls? ... expertise to this approach, be it for one set of tools or everything. ...
  • Re: Ah, wait, I see how its done
    ... >> Someone alerted me how the nice Mr. Scheidell did his work... ... You barged into a security forum largely ... the security expertise in this group. ... firewall for innocuous purposes is to approach the firewall ...
  • Re: Point-of-Sale security
    ... especially from an expertise standpoint. ... mom-n-pop quick-service shop. ... Latest Breach May Force a New Approach to Data Security ... In a research note she was preparing for Gartner clients on Monday, ...
  • Re: Firewalls: whats the use?
    ... > expertise would go long way here. ... But with many security experts clamoring for people to ... a firewall is recommended. ... just anyone on a military base and then only respond to people with ...