From: Andrew Blyth (ajcblyth@glam.ac.uk)
Date: Tue Jul 17 2007 - 04:08:07 EDT
Greetings,
There is an initiative in the UK that has lead to the creation of the Tiger
Scheme.
The TIGER Scheme provides a means of independently certifying the skills of
vulnerability test ('penetration test') engineers.
The Scheme is managed independently by a Management Committee comprised of
industry stakeholders with a vested interest in maintaining standards and in
meeting market requirements.
The three main strengths of the TIGER Scheme are: independence; a
University-based examination; and strong end-customer involvement on the
Management Committee.
http://www.tigerscheme.org.uk/
Andrew
On 16/7/07 19:46, "Pete Herzog" <lists@isecom.org> wrote:
> Hi Ken,
>
> Unfortunately, skills-based certification is the closest thing that exists
> to what is really required, decent apprenticeships. While "virtual"
> apprenticeships happen through hacker groups and to some regards in certain
> on-line training venues, that doesn't come close to giving the well-rounded
> skills a professional security tester needs in the modern workplace.
>
> I was lucky enough to have a great mentor during my time at IBM and what
> Peter Klee didn't teach me about just knowing how to be a "smart security
> consultant" as he called it could fit in a thimble. For a year that guy
> dragged me to analyst meetings and customer meetings and presentations and
> internal department meetings where I just sat there with my mouth shut and
> learned how security professionals handle themselves. That doesn't happen
> these days. Kids leave college with a few infosec courses under their belt
> and they become security professionals already assessing other people's
> business. There's no substitute for proper apprenticeship. But since that
> won't happen much anymore we need to find other ways to prove ourselves.
> We do that by showing it to an independent 3rd party to rate our ability to
> apply knowledge and skills to realistic problems in a timely manner. And
> that's what ISECOM is doing. It's the closest thing you can get to proving
> experience and ability like in an apprenticeship.
>
> This whole thing about work experience voucher and all that is a sham that
> more and more people get around. That doesn't mean anything! We all work
> with people who share the same job title but not the same work ethic or
> skills. Yet after 2 years they are the same level as you according to
> these business experience certification requirements. It's so hokey that I
> even have to use the word "hokey" and that alone is upsetting! ;)
>
> Sincerely,
> -pete.
>
>
>
> Ken Kousky wrote:
>> When exploring certification programs it's also important to note that
>> ANSI/OSI have a standard for the certification of professional licensing and
>> certification programs. The ANSI/OSI framework does not allow for this kind
>> of approach, where you have to buy a specific training product or program.
>>
>> A professional licensing process should be an independent test of
>> competencies and not a measure of the training program an individual
>> purchases.
>>
>> The DoD 8570 directive endorses ANSI/OSI certified certification programs -
>> I think for this reason. It's not buying training but establishing
>> competencies that matters.
>>
>> It's what you know, not what you buy. I think mostgood professional
>> certifications are moving in this direction.
>>
>> We still have a long way to go before the processional standards for
>> competency are clearly codified. Right now, the targeted skills continue to
>> evolve with the exploits but we're starting to better understand the need
>> for foundation skills and then specific applications of these skills.
>>
>> KWK
>>
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Swap Out your SPI or Watchfire app sec solution for
> Cenzic's robust, accurate risk assessment and management
> solution FREE - limited Time Offer
>
> http://www.cenzic.com/c/wf-spi
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Swap Out your SPI or Watchfire app sec solution for
Cenzic's robust, accurate risk assessment and management
solution FREE - limited Time Offer
http://www.cenzic.com/c/wf-spi
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:57 EDT