＜本文发表于: 相约加拿大:枫下论坛 www.rolia.net/f ＞
Security problems are the result of software vulnerabilities, and software vulnerabilities are the result of bad programming practice. In Theo's words, vulnerabilities are the result of not knowing exactly the library interface (can't remember the exact words) and improper use of function calls (eg. using strcpy() instead of strncpy() etc.).
Last year around March, Mikeal Olsson from Enternet (a Sweden company that makes firewall product) discovered pasv ftp vulnerability from multiple firewall products. The way he discovered the vulnerability is kind of interesting: he was trying to implement a ftp proxy and then got stuck on passive ftp part - he was having a hard time to do it without vulnerabilities. Then he was curious about how other venders' implementations look like. Then it turned out that other venders didn't get it right either, most notably Checkpoint FW-1 and Cisco PIX. And I believe linux's iptables also had that vulnerability although it was out much later. Granted, FTP is a broken protocol, I just want to stress the importance of good programming background.
Another example would be the discovery of a remote root vulnerability in Gauntlet firewall. Actually the vulnerability was from an add-on product (iirc some kind of content screening) and not from the firewall itself but once exploited, the whole box is rooted. This was discovered when a security consultant was hired to do the security audit for a company.
I think these people can be qualified as security experts.
To get CISSP is not that hard, you just need to get the book "Handbook of Information Security Management" (I have an old e-edition of the book in case anybody wants). And we Chinese people are really good at exams. But even if we get CISSP, do we qualified as a security expert?＜本文发表于: 相约加拿大:枫下论坛 www.rolia.net/f ＞