[rdl]

IMO, he's seriously wrong about certifications. (and not really on the right track with this article in general; a good background in making stuff is key to knowing the tradeoffs in securing stuff...)

Maybe the perfect cert would be a useful tool for some purposes (corporate hiring, huge projects with consultants doing low-level IT, etc.), but those are crappy jobs (and not really "expert" in any way).

More importantly, the extant certifications are all crap. CISSP in particular. Get it if an employer requires it, but it's independent of your actual knowledge and learning process.

[tptacek]

You will never, ever get the time you waste at a bad employer back. Employers that require CISSPs are far more likely to be wasting your time than not. The most important life lesson I've learned over the previous 10 years: be jealously protective of your time.

[rdl]

If you're in the military, you're basically required to get it, and it's not much more of a waste of your time than other things you could be doing there...

I personally got it just so that no one else in my company would ever need to do so; there are stupid companies which won't buy a product without integration, and where they have artificial requirements for integrators being certified. Given that it is only 1% of useless pain to enable 99% useful rewarding stuff, I found the sacrifice worthwhile.

[tptacek]

This comment is a great example of why I'm training myself to be less factional and defensive about people who hold the certificate. The military thing hadn't ever occurred to me.

But to be clear: I believe pretty firmly that for technical / software security, the CISSP is useless.

[rdl]

CCIE Security is probably useful, although that's more CCIE + Security than some abstract security cert, too, and specifically for network security, and specifically the kind of network you get in a corporate environment, not a startup/saas.

I'm not sure how I feel about SANS/GIAC. Absurdly expensive IMO, but potentially actually has some value for sysadmins doing system security. I can't think of what CISSP is actually good for, except maybe trivial pursuit - crappy consultant edition.

[suresk]

Somewhat related - about 2 years ago, my employer had a bunch of us go through the SANS/GIAC GSSP training & certification. Some of the material was pretty boring and of questionable utility, but we had a good instructor and some of the hands-on parts where we were finding vulnerabilities was actually really fun.

I'm under no illusions about the certification's marketplace value and I doubt I would have ever paid for the course/cert on my own, but it felt like one of the better formal trainings I've been through in my professional career (which, granted, isn't saying a whole lot by itself).

Also, the certificate comes mounted on a comically oversized plaque, which provides some entertainment value.