Trust validation of programmers

Rick Smith rick_smith@securecomputing.com
Tue, 30 Jun 1998 07:59:25 -0500


At 08:05 AM 6/26/98 -0400, Ted Doty wrote:

>From what I've seen, this situation is more like the craft guilds of the
>Renaissance.  Apprentices and journeymen would work under the supervision
>of masters, who were not only responsible for the quality of the product,
>but for training the apprentices and journeymen as well.

Arguably the training style is like this, particularly in mature
organizations, but there's an essential ingredient missing -- there's no
assurance that a person claiming to be a journeyman or master really is
one. In the Good Old Days you'd practice your craft in the same community
that you trained in, so everyone that mattered knew your status. Today,
someone can walk in off the street with a bogus resume and claim to be an
expert.

I suppose one could say that the CISSP is supposed to address this problem,
though it's nowhere nearly as comprehensive (or costly) as guild style
apprenticeships.

>My experience with background checks is that they're probably effective in
>weeding out psychos, and less effective in weeding out traitors (strong
>word there, perhaps we should say "Industrial Saboteurs").  It may raise
>the bar a bit, but it is a pretty tiny bit.

Same with the CISSP or any other practical, test based certification.

Rick.
smith@securecomputing.com