[Owasp-cert] Is this an evil thought?
matthew.chalmers at owasp.org
Sun Jul 27 17:04:44 EDT 2008
Absolutely not, no. Neither you nor any other single person should be the
only person that knows/keeps all of the questions/answers. My earlier
suggestion was that no one person has access to all the questions; rather,
different sets of people have access only to different (mutually
exclusive) sets of questions. This will require a storage method with
proper authorisations, but shouldn't be too hard to develop. Heck it could
simply be multiple encrypted zip files or something easy like that. The
method doesn't matter, only the confidentiality and integrity of the data.
So no 'admin' account that can see all data and no 'policy-based' security.
Otherwise it should be a board that has access to all of them. David's
right, we definitely need a 'board' or group of selected folks who have
access to the question and answer pool for reviewing, refining, selecting,
enhancing, etc. It shouldn't be one person nor should it be open to the
No matter how much James really, really, really, really (really...) hates
NDAs I don't see a way around some kind of signed, legal confidentiality
agreement for the people who are privy to a significant number of testable
entities (whether they're questions, scenarios, etc.). OWASP's reputation
will be at stake if somebody leaks enough info such that anybody can walk in
to the exam and have a good chance at passing. OWASP is a legal private
foundation in the U.S. and violating its trust should be subject to U.S.
legal repercussions. Just like if someone violated one of the FLOSS licenses
on the tools and documentation it creates. No different.
It would be easy to create a separate, private mail list for whoever's on
the peer review board to discuss the cert's IP. It can only be joined by the
approval of a moderator and archives are not stored publicly. OWASP already
has such lists. But this list should only be used for discussing
questions--no other aspects of the cert project.
Yes we're between a rock and a hard place in a way because OWASP and its
projects are supposed to be open to anybody, however, this is not like most
other projects. It's not a simple tool or documentation. A test is worthless
if the questions and their answers are made public. The rest of the project
can be open--there are many other decisions to be made other than the pool
of questions and their correct & incorrect answers (for argument's sake it's
easier to think of it that way, whether or not it turns out to be
otherwise). I think that part--the data, rather than the metadata and
process so to speak--must remain non-public and known only to select few.
Even other OWASP leaders might want to GET this cert, and if they are privy
to all (or even a significant part) of the data on the test, they'll have an
unfair advantage. It's a conflict of interest. Plus, the more people know
the questions, the more risk there is of a leak, intentionally or
unintentionally, and the more difficult it will be to determine
accountability. One single person is insufficient--nothing should be
completely entrusted to a single individual--but beyond two the risk does
On Sun, Jul 27, 2008 at 2:47 PM, David H. <dmalloc at users.sourceforge.net>wrote:
> On Sun, Jul 27, 2008 at 8:43 PM, Amro Ahmed <amro at owasp.org> wrote:
> > Yeah, I would highly recommend that.
> Not to mention that this then ceases to be an open and peer reviewed
> process. I would greatly dislike such an approach.
On Sun, Jul 27, 2008 at 1:18 PM, <james at architectbook.com> wrote:
> In order to protect the integrity of the exam, should I be the only person
> that knows all of the questions/answers? Likewise, security is ensured if
> the actual questions/answers aren't sent to this listserv as there may be
> lurkers? What do you think of question creators sending directly to
> reviewers with only a CC to me?
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-cert