(ISC)2’s New App Security Council

Truth: I used to think (ISC)2 was one of the most useless organizations on the planet.

They never seemed to listen to the people who had invested in their CISSP training. A couple years ago, people even started to brag about letting their certifications expire.

But something happened that gave me renewed faith in the organization.

A bunch of talented, well-known security professionals started running for seats on the (ISC)2 board, and now we have powerful voices for improvement, including Wim Remes, Jennifer Minella and Liquidmatrix’s own Dave Lewis.

I also got to know Executive Director W. Hord Tipton, and admire how he addresses the critics head-on. I’ve seen a lot of executives take the duck-and-cover approach when the tough questions come. But Hord goes for the throat. In an interview I did with him while I was managing editor of CSO Magazine, I asked about those who were flaunting their expired cert status. His reply:

What irks people is that certs are job requirements and some folks don’t feel they need a certification to be validated. It’s often the same people who are fussing.

Bam!

In light of all this, I have a renewed interest in what the organization is doing, and am happy to see that it has launched a new Web Application Security Council. From the press release:

The Advisory Council was established to evangelize for the adoption of secure software development best practices through professional certification. The council consists of 15 software security professionals in senior roles at leading business and government agencies around the world, including: 

• Tony Vargas, CSSLP, CISSP-ISSAP, Security +, technical leader, Engineering, Cisco; co-founder, chairman & president,(ISC)² Sacramento Chapter; chair, (ISC)² Application Security Advisory Council 
• Anthony Lim, CSSLP, CISSP, FCITIL, Asia-Pacific director, WhiteHat Security Inc., vice-chair, (ISC)² Application Security Advisory Council 
• David Kennedy, CISSP, OSCP, OSCE, GSEC, MCSE, ISO 27001, founder & principal security consultant, TrustedSec 
• David O’Berry, CSSLP, CISSP-ISSAP, ISSMP, CRISC, worldwide strategic technologies, Office of the CTO, McAfee 
• Erin Jacobs, CEH, CISA, QSA, managing partner, Urbane Security 
• Glenn Leifheit, CSSLP, CISSP, ACS, principal security architect, Microsoft 
• Jacob West, CTO, Enterprise Security Products, HP 
• Joe Jarzombek, CSSLP, PMP, director, Software & Supply Chain Assurance, SECIR/CS&C/NPPD, U.S. Department of Homeland Security 
• Joshua Corman, CTO, Sonatype; founder, “Rugged Software” and “I am The Cavalry” 
• Katie Moussouris, chief policy officer, HackerOne 
• Mano Paul, CSSLP, CISSP, GWAPT, GSSP-.Net, MCAD, MCSD, CompTIA Network+, ECSA, founder and CEO, SecuRisk Solutions and Express Certifications; founder, HackFormers 
• Mikko Varpiola, security researcher, Codenomicon 
• Sean Mason, CSSLP, CISSP-ISSMP, CCFP, CISA, CISM, PMP, executive incident response leader, CSC 
• Tom Brennan, CISSP, founder, proactiveRISK and CyberTOOLBELT; global vice chairman, OWASP Foundation 
• Zachary Tudor, CISSP, CISM, CCP, program director, Computer Science Lab, SRI International 

“We’re pleased to have some of the most prestigious names in the realm of application security on our new council,” said W. Hord Tipton, CISSP, executive director, (ISC)2. “Our Certified Secure Software Lifecycle Professional (CSSLP) certification was developed with the mindset of changing the way the world looks at developing software, by building security in from the onset to help avoid the outrageous cost of bolting on security later. We must increase the level of awareness in this area, and I’m confident that this group will spearhead the cause to make software more secure throughout the entire development life cycle.” 

The first ASAC meeting will take place on Friday, August 1 in Las Vegas, Nevada, prior to the Black Hat USA Conference. 

I know most of the people on this new council, and they are the real deal. They are security rock stars. Together, they will do big things.

Congrats to all involved.