+ Reply to Thread
Results 1 to 11 of 11
  1. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #1

    Default Security Folks .Net certs

    Would it be normal for someone who is supporting a web server to be certified on .net? (specifically 4.0)
    Reply With Quote Quote  

  2. SS -->
  3. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #2
    If you will be a programmer writing Web services and Web pages in ASP.NET then yes, you should look into .NET certification. If you are just an admin of Microsoft Web servers then you would look into the MCSE certs for Windows 2003 and the MCITP for Windows 2008 and later.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #3
    Quote Originally Posted by JDMurray View Post
    If you will be a programmer writing Web services and Web pages in ASP.NET then yes, you should look into .NET certification. If you are just an admin of Microsoft Web servers then you would look into the MCSE certs for Windows 2003 and the MCITP for Windows 2008 and later.
    I will be the admin but I will also help out with development, mainly making sure we are doing things according to best practices.
    Reply With Quote Quote  

  5. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #4
    Quote Originally Posted by Bl8ckr0uter View Post
    I will be the admin but I will also help out with development, mainly making sure we are doing things according to best practices.
    You need to get with the people/organization that's defining the best practices that you will be following and ask what they recommend. If you are not an actual programmer then the ASP.NET developer certs are not for you.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #5
    Quote Originally Posted by JDMurray View Post
    You need to get with the people/organization that's defining the best practices that you will be following and ask what they recommend. If you are not an actual programmer then the ASP.NET developer certs are not for you.
    That's my point, the developers aren't developing with security in mind and my boss has said, figure out what they need to do (not do it per se) so our new sites can be as secure as possible. Layer 7 on down. I was just wondering how much those certs cover security. I have the ASP.Net 4 book from wrox and it has a few chapters dedicated to security.
    Reply With Quote Quote  

  7. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #6
    Quote Originally Posted by Bl8ckr0uter View Post
    That's my point, the developers aren't developing with security in mind and my boss has said, figure out what they need to do (not do it per se) so our new sites can be as secure as possible. Layer 7 on down. I was just wondering how much those certs cover security. I have the ASP.Net 4 book from wrox and it has a few chapters dedicated to security.
    There are no .NET certs specifically for security. You'd be lucky to find that just one of the exams covered only security. Software security starts in the design of the program, not in the coding (implementation). Entire software engineering degrees are based on the concept of software systems security, so I don't think one or two .NET certs will help much.

    If you have a code base that's critical to the operations of your business, you might look into a professional assessment from a company like Citigal.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #7
    Quote Originally Posted by JDMurray View Post
    There are no .NET certs specifically for security. You'd be lucky to find that just one of the exams covered only security. Software security starts in the design of the program, not in the coding (implementation). Entire software engineering degrees are based on the concept of software systems security, so I don't think one or two .NET certs will help much.

    If you have a code base that's critical to the operations of your business, you might look into a professional assessment from a company like Citigal.
    Ok maybe I am posing my question incorrectly. For a network admin of a small shop who happens to work for some web developers (also at this small shop) what would be some of security concerns when rolling some brand new asp.net applications from the development side. We wouldn't have money for a place like citigal to work on our code so all of this would need to be in house.
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #8
    I think I answered my own question. I just got web applications hackers handbook and Web security testing and these seem to be the answer I needed. Thanks!
    Reply With Quote Quote  

  10. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,596
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #9
    Note that Web sites must be tested both independently of the site's technology, and tested to find vulnerabilities specific to the technology used to implement the site. For example, a poor design of a site's authentication mechanism can exist in any implementation, while an exploit specific to a version of PHP can only used on sites that use PHP.

    An excellent organization to follow for information on Web site and application security is the Open Web Application Security Project (OWASP).
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  11. Senior Member
    Join Date
    Apr 2009
    Posts
    5,015
    #10
    Quote Originally Posted by JDMurray View Post
    Note that Web sites must be tested both independently of the site's technology, and tested to find vulnerabilities specific to the technology used to implement the site. For example, a poor design of a site's authentication mechanism can exist in any implementation, while an exploit specific to a version of PHP can only used on sites that use PHP.

    An excellent organization to follow for information on Web site and application security is the Open Web Application Security Project (OWASP).

    I am actually considering joining the local branch of OWASP. I plan on following this organization very closely.

    This Web Application hackers book seems like it is going to be promising. I will have to have to pick up the database hackers book later.
    Last edited by Bl8ckr0uter; 11-26-2010 at 06:42 PM.
    Reply With Quote Quote  

  12. Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks