[fuzzing] Hey all

[nnp]

On Fri, Mar 14, 2008 at 11:50 PM, Jared DeMott <demottja at msu.edu> wrote:

> Fellow Fuzzers,
>
> So it's been a while since I've posted, but I was thinking, why not a
> CFP (Certified Fuzzing Professional)?  There's certs for everything else
> out there, how do you guys think industry would take the idea?
>
> Blessings,
> Jared


I would disagree with this for a number of reasons. Most of which have been
previously mentioned. While fuzzing is incredibly effective, especially with
the advances recently by a number of people, including yourself, it is still
just another testing mechanism. By the same train of thought, why not have a
Certified Source Code Auditing Professional or a Certified Static Analysis
Professional (boy am I gonna look silly if those exist)?

I would imagine any kind of certification like this would suffer from the
same issues most certifications suffer from. All it really certifies is that
you knew the answers to that particular exam. Anyone that has built fuzzers
knows that while a good knowledge base really helps you often have to get
creative when your fuzzer comes back with nothing after the first iteration.
This isn't something I could see a certificate taking into account as it
often depends on what you're testing and what quirks you've noticed. Really
effective fuzzers, IMHO, often require a certain amount of RE of the targets
to notice common misinterpretations of RFC's etc that someone that just
builds a straight up fuzzer won't realise.

I think the majority of details that a certification would 'certify' could
easily be hammered out with a couple of questions in an interview or meeting
and to a much more useful level of details.

Just my .02 euro,
nnp



-- 
http://www.smashthestack.org
http://www.unprotectedhex.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20080315/13dcd1c8/attachment.htm