[fuzzing] Hey all

Parity pty.err at gmail.com
Sat Mar 15 12:46:12 CDT 2008 

All,

The purpose of a certification is to vouch for the bearer as being
proficient in a given practice.  Re. the term "practice," I mean in the
formal sense, where a practice is not some random speciality, but rather
a field in which a widely-recognized and agreed-upon methodology has emerged
as the basis of getting things done.

 In other words, "Will the ______ field ever become a practice in which a
standard, widely agreed-upon body of knowledge and rules is adequate to
define the core competencies of its participants?"

Psychology.  Patent law.  Physical training.  Stretching a little, real
estate, or network design.  Information systems security professional?  I
don't think so.  Fuzzing professional?  Forget it.

pty

On Sat, Mar 15, 2008 at 9:18 AM, nnp <version5 at gmail.com> wrote:

> On Fri, Mar 14, 2008 at 11:50 PM, Jared DeMott <demottja at msu.edu> wrote:
>
> > Fellow Fuzzers,
> >
> > So it's been a while since I've posted, but I was thinking, why not a
> > CFP (Certified Fuzzing Professional)?  There's certs for everything else
> > out there, how do you guys think industry would take the idea?
> >
> > Blessings,
> > Jared
>
>
> I would disagree with this for a number of reasons. Most of which have
> been previously mentioned. While fuzzing is incredibly effective, especially
> with the advances recently by a number of people, including yourself, it is
> still just another testing mechanism. By the same train of thought, why not
> have a Certified Source Code Auditing Professional or a Certified Static
> Analysis Professional (boy am I gonna look silly if those exist)?
>
> I would imagine any kind of certification like this would suffer from the
> same issues most certifications suffer from. All it really certifies is that
> you knew the answers to that particular exam. Anyone that has built fuzzers
> knows that while a good knowledge base really helps you often have to get
> creative when your fuzzer comes back with nothing after the first iteration.
> This isn't something I could see a certificate taking into account as it
> often depends on what you're testing and what quirks you've noticed. Really
> effective fuzzers, IMHO, often require a certain amount of RE of the targets
> to notice common misinterpretations of RFC's etc that someone that just
> builds a straight up fuzzer won't realise.
>
> I think the majority of details that a certification would 'certify' could
> easily be hammered out with a couple of questions in an interview or meeting
> and to a much more useful level of details.
>
> Just my .02 euro,
> nnp
>
>
>
> --
> http://www.smashthestack.org
> http://www.unprotectedhex.com
>
> _______________________________________________
> fuzzing mailing list
> fuzzing at whitestar.linuxbox.org
> http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.whitestar.linuxbox.org/pipermail/fuzzing/attachments/20080315/70d43eb1/attachment.htm

More information about the fuzzing mailing list