CSA CCSK, what to expect?
I was planning on doing the CloudSecurityAlliance “Certificate of Cloud Security Knowledge” for a few weeks now (from the day when they announced it to be more precise) and was looking around for some more information as to what i can expect during the certification process. Unfortunately the usual search engine investigation didn’t turn up too much information so i decided to go ahead and give it a try to see what it is all about. Key points to know about the certification process
- Read the FAQ, it contains lots of useful information
- The certification fee is 195 USD until end of 2010. After that it will go up to 295USD.
- You’ll get a second chance if you fail your first try (only 2010)
- The test consists of 50 questions of which you need to answer 80% correctly within 60 minutes
As described in the FAQ the questions are based on the common body of knowledge (CBK) which includes at this time the CSA “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” and ENISAs “Cloud Computing Risk Assessment“. The weighting given in the CCSK prep guide (70% CSA guide, 20% ENISA report, 10% applied knowledge) seems fairly accurate.
So how does it work? This is something where i hoped for a bit more guidance from the CSA as there is no information on the actual registration and testing process available. In their defense – there isn’t much to it. If you want to take the test you have to register here. Once you are registered you can buy the token to attempt the test. The purchasing process is handled via PayPal (either your usual PayPal account or via PayPal moderated CreditCard payment) or prepaid invoice. Assuming the purchase process completed successfully you are good to go; just click on that big button to start the test. There is no need to attempt the test right after purchase, you can log back in later from anywhere you like to start the process.
The test itself is very straight forward; as soon as you start the test the timer ticks down from 60 Minutes and you go through the questions. No (too) confusing wording [...] just 50 multiple choice questions with the option to mark for later and direct link to all of the questions for review. When you’re done answering just hit the button “Submit for marking” (forgot the correct wording here, sorry) and you’ll get the result right away with a small breakdown how well/bad you did by domain very much comparable to Microsoft tests and similar.
Looking back i thought the test would be a bit more difficult. Not necessarily the knowledge that is required but from the time you have to complete the questions. Many of the questions are very quick to read so most people will be able to go through them at a comfortable pace and still have plenty time left for review. I think the certification would benefit from additional questions (maybe 60-75 overall) to verify that the test taker really has the key parts of the CBK memorized and provides more detailed guidance in the domain breakdown rating as to which areas might need more attention.
If you pass the test you’ll have the option to download the certificate in PDF or in HTML format. Alternatively you can use your email address with which you registered for the test and your CCSK code, which you receive once you passed, and validate that you’re really certified. On the CCSK page look for the validation check box.
If the email address and validation code are recognized you should see a result similar to this.
Certified, licensed or signed?
While having my coffee this morning I came across this short posting on the Sophos blog titled “License to code”. After i had some good conversations at the last ISSA UK chapter meeting about code quality from a security durability point of view and what implications this (should) have on liability of the software vendor i hoped that Sophos would provide some further insight along those lines. I was somewhat disappointed to see that the conversation quickly drifted off to start yet another discussion on the usefulness of signed applications. The analogy about licensed surgeons stated in the article makes sense (it should as it is taken out of David Rice’s excellent book Geekonomics) but quickly looses its relevance taken out of context as the point made is not towards signed code (which would relate to the surgeons scalpel) but the surgeon itself being licensed/certified to a certain skill or quality standard.
So the question to me is less one whether it makes sense to sign code since signatures can be forged and loose some of their overall trustworthiness; this is an arduous question to ask and leads to counterproductive discussions if we should do any signing at all since there are situations where it will not be 100% trustworthy. Yes it will be abused, exploited and overcome by malware distributors, but it raises the bar ever so much and sets the scene (or infrastructure if you will) from where the trusted software culture can evolve further.
The question to me (as a consumer of applications) is rather if we can now start to not just certify the origin of the application but also certify the reliability and quality of the coder/distributor with similar consequences in regards to liability as the before mentioned surgeon ‘enjoys’. I certainly do not want to advocate dropping the liability hammer on software vendors but i think it is time to re-evaluate the fairness of cost distribution in the information security space. It amazes me to see how Information Security and Information Technology departments struggle to get funding to mitigate problems introduced by software vendors who enjoy the benefits of the purchase price but take no responsibility for the follow up costs incurred by insecure code. Here’s a thought, would it be wrong to demand that software vendors producing insecure software sponsor mitigation vendors (like WAF, AV, etc) since they are one of the main causes for this industry to be around in the first place?
InfoSec events London
I’ve been looking for a place that is listing Information Security events in London/UK for a while now and didn’t come across anything i particularly liked so i decided to start my own event overview. Obviously it consists mainly of events i’m aware of and/or i’m participating but i’m happy to add relevant events if someone let me know about them.
The calendar can be accessed via the top menu or this direct link – InfoSec Events London
Cloud Security Alliance announces certification
With all the news and information coming out of BlackHat 2010 , DefCon 18, BSides Las Vegas and not to forget WikiLeaks these past days the announcement of the first user certification for cloud security didn’t get much of the attention it probably deserved.
The Cloud Security Alliance, in cooperation with the European Network and Information Security Agency (ENISA), created the “Certificate of Cloud Security Knowledge” or CCSK to “…ensure that a broad range of professionals with a responsibility related to cloud computing have a demonstrated awareness of the security threats and best practices for securing the cloud.” I think it was just a matter of time until a specialized certification would become available for cloud professionals but i didn’t expect it to happen this soon and not out of the CSA. The CSA is a great initiative and seems to have the clout and knowledge to initiate a trustworthy certification program but at this point the Common Body of Knowledge, which is derived primarily from -
- Security Guidance for Critical Areas of Focus in Cloud Computing, V2.1
- ENISA Cloud Computing Risk Assessment
seems a bit light. That said the FAQ already accounts for upcoming revisions of the certification so i would expect a evolving CBK similar to e.g. EC Council’s CEH. I’m interested to see how the adoption rate in the first year will be and whether established certification bodies like ISC2, EC Council, Microsoft, etc. fully acknowledge it or start their own cloud certification.
On slightly related news – Microsoft’s research labs released a paper titled “Cloudward Bound: Planning for Beneficial Migration of Enterprise Applications to the Cloud“. It takes a pretty scientific approach looking at hybrid could hosting for enterprise applications. From the abstract -
“In this paper, we tackle challenges in migrating enterprise services into hybrid cloud-based deployments, where enterprise operations are partly hosted on-premise and partly in the cloud. Such hybrid architectures enable enterprises to benefit from cloud-based architectures, while honoring application performance requirements, and privacy restrictions on what services may be migrated to the cloud.”
NIST Guide to Security for Full Virtualization Technologies
The National Institute for Standards and Technology is currently working on a new Special Publication (800-125) that deals security concerns around virtualization technology. The paper is currently released as draft for comment and public feedback is requested until August 13th 2010 as described below.
“NIST requests comments on draft SP 800-125 by August 13, 2010. Please submit comments to 800-125comments@nist.gov with “Comments SP 800-125″ in the subject line.”
I quickly read through the draft and it turns out to be a quite general overview of virtualization types and common issues to consider regarding the technology but also the overall life-cycle. It is a good primer for the topic but it lacks some depth; most readers are probably already familiar with the content as it is covered in more depth in guides like -
- CPNI Security considerations for server virtualisation
- vSphere 4.0 Security Hardening Guide
- DISA Security Technical Implementation Guides
- Microsoft Hyper-V security guide
Overall the draft paper is a worthwhile read, especially since it is only 35 pages long at this point, but some sections leave me to wish for more. In section 4.1 “Hypervisor Security” i’m missing a better discussion about the VMM supporting/enabling hardware and the inherent trust the Hypervisor puts in this part of the underlying system. While the paper mentions hypervisor integrity and physical system security this point deserves some better coverage in my view.
Link to the draft – SP800-125 Guide to Security for Full Virtualization Technologies
