pentest licensing



"professionalized" ourselves by requiring licensing. The industry
reliance on certification rather than licensing as a credential somewhat
serves to muddy the waters because the decision makers hiring security

You think government-mandated licensing doesn't have the same problems? By blocking people who don't conform to the license model or can't afford it, you create a secondary culture which operates just outside the boundaries and undercuts the licensed professionals who are already feeling the pains of protective insurances and government regulation that the non-licensed people avoid and can spend on marketing. Furthermore, lobby groups with money o spend would dominate this licensing scheme in the best way it benefits them, lowering the bar of who can get licensed by skill but restricting it by price (and association). This fractures the market even more, confuses customers, and adds new cost burdens to security which must then either be government subsidized or added to the customer's cost.

The security market may be too fractured, too full of lies, and too arrogant to support a proper licensing program. Something simple like a mandate of stating the factual attack surface of a program, device, or product in general would go a long way to informing the customers of how exposed the new purchase will make them what they're buying and can track it and compare it to the results of the audit's they're buying. Right now most people are buying black box inspections of boxes with unknown contents. I think the market would cut out many of the bad players if the customers knew what it was they were actually getting audited and what the results should be. Currently they're getting a lot of "clutch grease" inspections on automatic cars because they have no idea what's in the car.

-pete.

OPST, OPSA, OWSE, OPSE
www.isecom.org

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------



Relevant Pages

  • Re: [OT] [Full-disclosure] CISSP Test
    ... > a form of licensing for all security professionals that deal with ... > privacy matters. ... > As more and more privacy regulation becomes the norm, ... > competent professionals are the ones filling security positions. ...
    (Full-Disclosure)
  • Re: Microsoft XP Pro / PC Sale
    ... > Just donate them to charity & take the tax break. ... > all kinds of Security & Licensing issues. ... Dilbert puts his old machines in a schoolyard at night (his boss put his old ...
    (microsoft.public.windowsxp.general)
  • Re: Microsoft XP Pro / PC Sale
    ... all kinds of Security & Licensing issues. ... > to sell to employees. ... > old PC's that belong to the company to employees with the ...
    (microsoft.public.windowsxp.general)
  • Re: Interop calls to Activeds.dll (replacing type lib)
    ... >> licensing, etc. ... > shipping commercial product could imply exactly opposite, ... > security may actually compromise your system's security. ... >> Sorry I wasn't very clear about the setup related Activeds issue. ...
    (microsoft.public.dotnet.framework.interop)
  • Re: dynamic partial reconfiguration of Xilinx Virtex-4 FPGAs
    ... That's a very different market than dedicated applications. ... It also has very different demands and cost benefit concerns. ... This licensing problem with ISE is the deal breaker for Reconfigurable ... resolved for the next generation product cost. ...
    (comp.arch.fpga)