New job at BAO Systems: Chief Unicorn Wrangler

As some of you may have seen on LinkedIn, I am now working full-time for BAO Systems. I tried to get a silly new title, but I figured “Senior Software Architect” would be a bit more professional. This is somewhat a return to familiar ground as I will be helping move research forward for many NGOs (PEPFAR, International Rescue Committee, Doctors Without Borders, …).

The timing of this change is perfect. My previous government contract wouldn’t let me work remotely, promoted a hostile work environment, and were more concerned with appearances than national cyber security. Now I get to work remotely with an international team, promote international health and safety, and through it all, save lives. I can’t complain much about that.

I was removed from the government contract for insubordination. Someday I may write about it. If you want the details sooner we can talk over a cold bottle of root beer at php|world.

security work

CSSLP Certified

On last official day with Redport Information Assurance, I received confirmation of my Certified Secure Software Lifecycle Professional acceptance by (ISC)2. I am very grateful that Redport repeatedly covered my training and certification process. Alas, the story of our mutual separation will be a separate blog post.


Back on the market

After three years working at the Department of Energy as a Senior Security Software Engineer, I am back on the job market. If you are looking for a web application developer with over 15 years experience, please send me a line. Partnering with my infosec company (Redport Information Assurance) is also cool. I have TS and DOE-Q clearance. Ideally the position would be remote.

security work

Is the CSSLP worth it?

Last week I passed the (ISC)2 Certified Secure Software Lifecycle Professional (CSSLP) exam. Here are some thoughts (not bound by the (ISC)2 NDA):

Cert Types

There are two classes of certification within the (ISC)2 family: member and associate. The only difference between the two is how many years of experience you have in the subject area. For full membership, you need to have 4 years experience in at least 1 of 8 domains. If you have been doing devops for at least 4 years you will most likely be fine. If not, then you can go for the “associate” cert with the understanding that you have 5 years to gain that experience.

Summary: If the reason you are getting this cert is to have some letters on your resume, you might want to just go for the associate level. Who knows where you will be in 5 years.


Option 1: Experience

This cert focuses on security aspects in the full lifecycle of “enterprise” application development (read: .Net/Java). Honestly, I do not believe that my 18+ years of PHP development would have prepared me to pass this test, even though I had several years of Java dev in the midst. There were too many questions on processes, Microsoft, Java, and acronyms. My three years in the infosec arena certainly helped, but did not cover all the bases.

Option 2: Official Training  = High cost / Low risk

If you prefer live training, want to make dead sure you pass the test, and you have $2695 laying around, you can take (ISC)2’s official week-long trainings.  The also have self-study classes from $99 up to $695. If your company wants to pay for this, awesome! Good luck with that. (ISC)2 also has CSSLP Flash Cards on their website, but in my case they only represented about 60% of the concepts on the exam I took.

Option 2: Job training portals = Low cost  / Medium risk

Through my office, I was able to take the free FedVTE online CSSLP training. The 20-hour series of videos from CMU were great as an overarching review of security practices (when they say 20 hours they really mean 30+ hours). I feel that these trainings only provide a 60% solution. The information is great and highly recommended, but if your goal is passing, it won’t be enough by itself.

Looking back I also had access to the CSSLP resources on Skillport/Skillsoft. Make sure to check your company offerings.

Option 3: Read the book

There are several books out there purporting 90% passing rates. Looking at the comments on the latest official (ISC)2 offering will not give you much hope of passing. Not being too confident in scope of the FedVTE Computer Based Test (CBT) class, I purchased Conklin’s CSSLP Certification All-in-One Exam Guide. Similar to the CBT, the material covered was broad but still did not cover all the areas of the test. The Microsoft specific areas of the book were definitely helpful, coming from a Linux world.

Summary: GetConklin’s book. If you are on a budget, use the official (ISC)2 training and books as a last resort.


Time: You have 4 hours to complete 175 multiple choice questions at a Pearson Vue center. I managed to finish in under 90 minutes. ie. You have plenty of time to read each question carefully.

Content: As a CBT, each persons’ exam should be different, so YYMV. Although the practice exams got me a bit scared, I did not encounter any “Which of these 4 ISO standards is the right one?” A fair number could be solved just by process of elimination. Having the years of experience certainly helped with a number of questions that the CBT and books overlooked.

Passing: I was surprised when I first looked at this test, as you only need a 70% to pass. Part of that may be the fact that the test is “a mile wide and an inch deep“.


Unlike certifications you might be used to, (ISC)2 and some others require you to be endorsed by someone who is an active (ISC)2 member in good standing. Hopefully you already know someone who is a member and can vouch that you have the required professional experience. In a couple weeks that should be me as well.

Prospects & Alternatives

A search today on some of the more popular boards reveals job postings for CSSLP professionals.

These numbers are not all that great, especially since I did not place a geographical restriction on the search.

There are many other security related certificates out there. CASP, CISSP, GWEB, and CEH are some of the more well known.Though some colleagues believe the value has been watered down in recent years, there are over 10x more jobs requiring a CISSP certificate. In many postings where CSSLP shows up, it is paired with one of these other more well known options.

Summary: If you are getting this to find a new job, other certs have more flexibility.


Cost: Certs are not cheap. The CSSLP exam costs $595, plus, to keep your cert active, you must pay $100 and receive 30 Continuing Professional Education (CPE) credits per year. Training can be expensive as well. If your company is willing to pay for it, great! Out of pocket, ouch.

Visibility: This is not a well known cert. Despite the (ISC)2 website saying “CSSLP Named #1 Tech Cert that is Paying Off by Foote Partners” (for the first half of 2014), the job market says otherwise. Granted, it is no longer 2014 so perhaps it did pay off for 6 months.

Credits: Many certs these days require you to receive CPE credits to stay “active”. I plan on using the CSSLP as 50 CPE credits to renew my Security+ cert.

Usefulness: This cert material is useful, especially if you do not have a formal CS degree, or you are moving more toward leading teams or project management. It is a SDLC focused cert after all. There was a broad mix of useful security practices, “enterprise” situations, and supply chain considerations. At the very least, government recruiters like to see tons of certs on resumes.


It seems that certain people (especially government related entities) think the only way a person can know material is if they have paper proof. If you are looking to switch toward the security industry but lack the experience, I would check out the Security+ exam first.  Several government agencies will accept that as proof that you know enough security to get in the door. If you already have 5+ years in infosec, go for the CASP or CISSP instead. They both have broader visibility. However, if you are a PHP developer and plan on working just for PHP companies, the ZCE is a much better place to start, with its lower upfront cost and no yearly maintenance fee.


ZCE Complete

I finally got off my rear and took the Zend Certified PHP Engineer test. And Passed. I took the PHP 5 CE test way back in 2007, so I figured it was about time to refresh things. Right before PHP 7.

howto work

Taking Flight with AngularJs

Lately at work we have been getting into the Flight PHP framework for simple REST-like services with an AngularJS front end. We have had to do a bit of juggling however to get one of the nicer AngularJS features to work: “html5Mode”. Here is what we did.

talk work

tek13 Basic Intrusion Detection Slides

Here is the slide deck for my talk on BasicIntrusionDetectionWithPHPIDS. If you were one of the 19 attendees, please give feedback at

bug work

ZF1 still can’t parse dates right

I was running into some date validation problems between jQuery datepicker and ZF1. My client wanted one date picker to use a “January 01, 2000” format, and the others a “01/02/2000” format. Seems simple enough.



AngularJs Zend Framework 1 Resource Plugin

I whipped up a simple ZF1 resource plugin for AngularJs called AngularZF1 and dropped it onto github. We have started using Angular at work and I thought, why not mimic how the ZendX_JQuery plugin works. Right now it doesn’t add much beyond just adding the script tag to your <head>. Enjoy, all you who are still on ZF1!


Oracle in PHP Frameworks

I have been using Zend Framework 1.x at work for some time now. I appreciate the large number of components, many of which my system uses on a daily basis. Yes, it is a large library, but we have a very large application that probably does too many things.

ZF2 is coming out soon and it seems quite different from 1.x. I downloaded the betas and skeleton app, and looked at the well written tutorials, but I am still having a difficult time wrapping my mind around it. So I have decided to see if the grass is greener elsewhere. There are plenty of PHP frameworks out there to choose from, but I have one particular requirement: Oracle support. I work in a somewhat regulated space and the big vendors are preferred over the Open Source databases. And not just any Oracle support, we need to use the oci8 driver.

Most of the new frameworks prefer to use PDO for their database abstraction layer. This is fine for most people who are using MySQL or PostgreSQL. This is not great for us Oracle users. Although there is a pdo_oci extension, it is very buggy. We have to use the oci8 driver instead. And no, I cannot just switch to MySQL.

So, which of the frameworks support oci8? *feel free to correct me in your comments

Framework DBAL oci8 Notes
ZF 1.x Internal  Y
CodeIgniter 2  Y
Symfony2 Doctrine  Y  According to the Doctrine 2.0x docs oci8 is supported.
ZF2 Internal/Doctrine  Y
CakePHP 2.x  +
Lithium Internal  N MySQL, SQLite3, CouchDB, MongoDB
Aura Wrappers around PDO  N MySQL, PostgreSQL, SQLite3, SQLServer
DooPHP Wrappers around PDO  N
Yii Internal  ?  Found a note from 2009 saying it worked
FuelPHP Internal  ?
Slim No DB support in framework

When I was researching frameworks 3 years ago I looked at Doctrine as a DBAL and even contributed a few patches to the project, but eventually got frustrated enough to bail on it and go with ZF’s vanilla approach. Should I try out Doctrine again or use something like Slim and keeping all my existing ZF1 database code?