[Owasp-training] FW: [FWD: Certified OWASP training program]
Sandra Paiva
sandra.paiva at owasp.org
Tue Dec 14 10:26:23 EST 2010
Sandra Paiva
<http://www.owasp.org/index.php/User:Sandra_Paiva> OWASP Training Manager
De: Sandra Paiva [mailto:sandra.paiva at owasp.org]
Enviada: terça-feira, 14 de Dezembro de 2010 14:08
Para: 'Ed Adams'; 'dinis cruz'
Cc: 'James McGovern'; 'cassio at owasp.org'; 'kuai.hinojosa at owasp.org'; 'Robert
Hansen'; 'Jeff Williams'; 'Paulo Coimbra'
Assunto: RE: [FWD: Certified OWASP training program]
Excellent, Ed! I will be waiting for your confirmation!
Best regards,
Sandra
Sandra Paiva
OWASP Training Manager <http://www.owasp.org/index.php/User:Sandra_Paiva>
De: Ed Adams [mailto:eadams at securityinnovation.com]
Enviada: terça-feira, 14 de Dezembro de 2010 13:56
Para: 'Sandra Paiva'; 'dinis cruz'
Cc: 'James McGovern'; cassio at owasp.org; kuai.hinojosa at owasp.org; 'Robert
Hansen'; 'Jeff Williams'; 'Paulo Coimbra'
Assunto: RE: [FWD: Certified OWASP training program]
Thank you, Sandra. I will review the information you reference below.
Regarding the meeting in Lisbon in January, I will not need help from OWASP
to cover expenses but thank you for the offer. I will check with my team
and calendar and let you know if I can be there presently.
Kind regards,
Ed
From: Sandra Paiva [mailto:sandra.paiva at owasp.org]
Sent: Tuesday, December 14, 2010 8:48 AM
To: 'Ed Adams'; 'dinis cruz'
Cc: 'James McGovern'; cassio at owasp.org; kuai.hinojosa at owasp.org; 'Robert
Hansen'; 'Jeff Williams'; 'Paulo Coimbra'
Subject: RE: [FWD: Certified OWASP training program]
Hi Ed, all,
The working sessions on OWASP Academies will take place on the 5th and 6th
January - Dinis has already summarized what we are trying to achieve there,
but please see here for all the info -
http://www.owasp.org/index.php/OWASP_Academies#tab=About
I also believe that both the OWASP Academies and the certification
methodology here discussed are intertwined with the effort we are making to
create and establish a solid model for the OWASP Training - this is a a
model under which the training is free for OWASP members, delivered by OWASP
Leaders (with only travel expenses paid) and covering OWASP modules and/or
projects. http://www.owasp.org/index.php/OWASP_Training#tab=About
So, yes - I think we have plenty to explore here and it would be fantastic
if you could be involved in this process!
Do you think you would be able to join us in Lisbon for this meeting? If so,
could you let me know whether you will be able to get sponsorship or if
you'll need help from OWASP to cover your expenses?
Many thanks!
Sandra
Sandra Paiva
OWASP Training Manager <http://www.owasp.org/index.php/User:Sandra_Paiva>
OWASP Academies mailing list archives -
https://lists.owasp.org/pipermail/owasp-academies/
OWASP Academies wiki page -
http://www.owasp.org/index.php/OWASP_Academies#tab=About
De: Ed Adams [mailto:eadams at securityinnovation.com]
Enviada: terça-feira, 14 de Dezembro de 2010 13:09
Para: 'dinis cruz'
Cc: 'James McGovern'; cassio at owasp.org; kuai.hinojosa at owasp.org; 'Robert
Hansen'; 'Jeff Williams'; 'Sandra Paiva'; 'Paulo Coimbra'
Assunto: RE: [FWD: Certified OWASP training program]
Dinis – what are the dates for the January working session in Lisbon? I’d
be happy to attend if I can make it.
Ed
From: dinis cruz [mailto:dinis.cruz at owasp.org]
Sent: Tuesday, December 14, 2010 8:00 AM
To: Ed Adams
Cc: James McGovern; cassio at owasp.org; kuai.hinojosa at owasp.org; Robert
Hansen; Jeff Williams; Sandra Paiva; Paulo Coimbra
Subject: Re: [FWD: Certified OWASP training program]
Great stuff
Not wanting to push your schedule to the limit, but there is going to be a 2
day working session in early January (also in Lisbon Portugal) that is going
to be 100% focused on the OWASP Academies / OWASP Education, and if you
could be there, we should be able to expand the scope of that session to
'OWASP Academies and Certification' (since the target audience is the same
and I'm sure the participants will be very interested in this thread).
Sandra is also organizing that meeting, so if you can make that one too,
that would give us a great timeline to the Summit (since that is our plan
for the OWASP Academies: Use the early January session to 'complete the
vision' + 'prepare the materials' + 'create action plan' , all of which
would be then presented a month later at the Summit)
Dinis Cruz
On 14 December 2010 12:49, Ed Adams <eadams at securityinnovation.com> wrote:
Dinis, I agree – this is very exciting, and are hopeful we can build
Certifications built on top of OWASP materials. I have been thinking about
it for a long time as I’m sure you all have J
To address your question regarding OWASP vs. SI brand, my main motivation
for suggesting an OWASP-branded program is twofold:
1. To avoid the conflict of interests to which you refer below.
a. If this is seen as a vendor (SI) program vs. an OWASP program, I
think it would be less accepted by the industry at large. Further, without
the endorsement of the OWASP Community (or at least the Edu board) the
program will have less of a change to succeed.
b. My assumption is that endorsing a vendor-branded program would be
taboo (again, bias, COI, etc.) Perhaps I’m mistaken and you have other
ideas on this.
2. To create the financial synergies that will help OWASP get more
funding and further promote its mission. Yes, SI can contribute to OWASP in
other ways, but I think a program such as this can generate substantial
income that can be utilized as the OWASP boards see fit.
BTW, I think the concept of publishing all questions is a fine one, provided
the pool is comprehensive enough. I had not considered the idea prior to
Jim’s email; however, upon review and discussion with our education team
here, we see the value of doing so – esp. in such an “open” minded community
such as OWASP.
I will also engage with Sandra and have the team here review the OWASP
Academies efforts to ensure we consider the work being done there and the
plans for expansion.
Please note, I am fine with either an OWASP- or SI-branded Certification
program based on OWASP materials. I do believe that an OWASP-branded program
would carry more weight and instant credibility; however, if you see
potential conflicts in the model, it is worth discussing in detail. As a
point of experience, I am concerned with an SI-branded program in the
absence of an OWASP endorsement – one without the other would be challenged
to succeed, imo. Hence my suggestion for the OWASP brand
but as I mention,
I am perfectly comfortable discussing the pros and cons of each option.
Finally, yes, I am able to attend the OWASP Summit in Portugal in February
to wrap up this conversation thread. I would be glad to participate in or
lead some Working Sessions on the topic. And I would be thrilled if we’re
able to launch the first prototype at the Summit. With whom shall I work
regarding these logistics?
Best regards,
Ed
From: dinis cruz [mailto:dinis.cruz at owasp.org]
Sent: Tuesday, December 14, 2010 7:07 AM
To: Ed Adams
Cc: James McGovern; cassio at owasp.org; kuai.hinojosa at owasp.org; Robert
Hansen; Jeff Williams; Sandra Paiva; Paulo Coimbra
Subject: Re: [FWD: Certified OWASP training program]
Hi Ed
Thanks for your proposal and the time/effort you are putting into this.
I would like to understand better why you don't want the SI branding?
Doing this as an exclusive agreement with OWASP (with SI being a white
label) is actually harder for us since we have to make sure that there is
complete transparency and openness in all our actions.
Since the focus of the courses will be (as you very well describe) in
"Certifications on OWASP xyz" , I think the model you propose will be easier
to implement and easier to be accepted by the Community, if it is
independently executed by a trusted 3rd party (note for example that since
we cannot have any 'closed' information at OWASP, the issue of the
confidentiality of the 'Answers to the Certification Questions' would be a
deal breaker (unless you want to play the game where all questions are
public :) and even then there would be a ton of logistical/independence
problems ))
I also would like to see the financial connection between the two parties to
be minimal, since a strong/direct relationship would create serious
conflicts of interest within the OWASP community. For example, It would be
better for OWASP if SI (or who ever is running these certifications) would
have a big participation at OWASP events (maybe being a Gold sponsor at a
number of our conferences) versus SI giving OWASP a percentage of the
certification income.
I'm taking into account that if such certification is a success, OWASP
should have significant financial benefits from the side effects of
increased awareness of the OWASP brand and projects (more
corporate/individuial memberships, conference sponsorships and
participation). I also like the positive pressure (for quality) that this
will have on our projects.
Also, Ed, can you take a look at the OWASP Academies effort that we are
currently implementing? There are a LOT of synergies here and we should
align these efforts. Sandra (CCed) is leading this initiative, and she will
send you a number of links to the OWASP Wiki pages that contain detailed
information about 'where we currently are' and 'what are our plans'.
Finally, the OWASP Summit (Feb 2011 in Portugal) would be the perfect place
to wrap this conversation up and maybe even launch the first prototype (see
http://www.owasp.org/index.php/Summit_2011 for more details). Are you able
to go there? If so, we should add a number of Working Sessions on this topic
(see http://www.owasp.org/index.php/Summit_2011#tab=Schedule_and_Tracks for
the current list of Working sessions (note that there are a number of OWASP
Academy sessions missing from that list)
This is very exciting, I feel we are real close now of having Certifications
built on top of OWASP materials :)
Thanks again for your efforts Ed
Best regards,
Dinis Cruz
On 13 December 2010 21:52, Ed Adams <eadams at securityinnovation.com> wrote:
Thank you both for the well-considered responses. In turn, this is my
thinking regarding OWASP certification. Please pardon the delayed response,
btw – much international travel followed by a holiday consumed most of my
November and early December.
I try to address your comments in sequence below and have re-factored a bit
for organization sake. Also, for your edification and reference, I provide
a bit of background on myself and Security Innovation (SI) here:
· SI founded in 2002 as a university spin-off from Florida Institute
of Technology and has been specialized in software security since its
inception. Founder is Dr. James A. Whittaker (now at Google.)
· SI launched AppSIC in 2004 (Application Security Industry
Consortium), a non-profit trying to establish and define cross-industry
application security guidelines and measures. Charter members included
Microsoft, SAP, Oracle, Gartner, IDC, AMEX, ING, GE, Credit-Suisse, Red Hat,
Symantec, Compuware, and others. AppSIC eventually disbanded and morphed
into the ISV-driven SAFECode.
· SI has a robust training and content library that we would
contribute (re-branded of course) as part of any “Certification on OWASP
<XX>” program. See http://teammentor.securityinnovation.com/ and
http://elearning.securityinnovation.com/ as reference. Note: we have 8 new
eLearning courses coming online this month and another 12 in Q1’11.
· I ran the VeriTest business unit of Lionbridge for several years;
there I was responsible for the BU’s P&L including numerous certification
programs, e.g., “Certified/Designed for Windows” “CITRIX ready” “Powered
by NetWeaver” “AT&T Certified Solution” etc.
Topical areas:
· No problem in creating Certifications around OWASP materials (i.e.
not 'OWASP Certifications' but 'Certifications on OWASP {put project name
here}) – this is great. The more specific a cert program is, the better, and
OWASP is well-organized into projects that lend itself to certification,
imo.
1. The key, in my experience, is to start with one (the market will
select the most popular one and SI is glad to do the market research on
this) and build from there. You suggest an OWASP cert for QA professionals –
sounds perfectly reasonable to me; I suspect it might not be the first one
to offer, but I can see it evolving from a program of OWASP certs. Perhaps
auditors or program managers would be first; perhaps developers would still
warrant the most demand; I’m not sure, but am willing to find out on behalf
of (or in coordination with) the team here.
· No structure at OWASP that can handle the exam and certification
process (and there is no plan to create on in the short to medium term.)
This is where a partnership with SI can be fruitful. A certification program
needs several key elements:
1. Content. Ideally, a set of guidelines or standards against which
one can test and measure.
2. A sponsor. Here, the key is to have a sponsor that a platform
and/or a mass audience that cares about the content or platform – this is
OWASP. By contrast, a vendor-sponsor cert program is doomed to fail as is
clearly a for-profit endeavor with no supporting platform or mass appeal.
3. Infrastructure. This includes the morphing of the content into
training or guidance, the hosting of automated content delivery and/or
assessment, and the means through which to brand accordingly for the
sponsor. This is what SI brings to the table. We have done this for several
well-known industry security standards that require “certification” as well
as universities who offer a security certificate as part of their continuing
ed programs.
· Certifications succeed when the people who have them are somewhat
plentiful. I agree fully and understand the paradox you seem to have with
wanting to maintain a high bar (not another watered-down cert) whilst
appealing to a large audience (effective critical mass for a program.) We
have managed to address this problem in the past and are glad to share our
success factors with you
and do the same for OWASP.
The program I would recommend would have no SI branding or visibility
whatsoever. Part of our contribution to OWASP would be both in content (see
above) as well as in the infrastructure and expertise in managing the
certification program(s). I would like to propose a program where SI builds
an eLearning platform (we have an LMS to contribute) that is branded as
OWASP. It would contain eLearning courses based on OWASP materials and would
offer, at first one, but later several certifications based on the OWASP
eLearning materials and exams to be passed at key milestones (completion of
course X, Y, etc.)
The business model I would suggest is a revenue share, which will help OWASP
further promote itself. Meanwhile, SI would remain an invisible partner in
the background. We never have, nor would we ever, want any visibility. Our
“skin in the game” would be assuming all the risk of creating the content
and getting the platform online (an expensive endeavor.) I would actually
prefer a white-labeled program vs. a listing of commercial services as
mentioned below. My objective is to create something of value to the
community, to the organization itself, and to SI (if only financially.)
This model seems consistent with the OWASP training we’ve delivered at
several OWASP events in the past – there is a revenue share, meanwhile, all
content and value goes to either the OWASP community in attendance and/or
the OWASP org itself.
I’d like to continue the conversation if you feel there is merit. I can get
much more specific in terms of a recommendation for next steps; however,
before we proceed much further, I’d like to solicit your feedback on the
content I’ve written here. If you feel such a program is inappropriate or
doomed for failure, no worries – seems like there is some real potential
here and I thank Cassio, once again, for making the introduction.
My contact info is below for you reference. Best regards, all.
Ed
--------------------------------
Ed Adams
Security Innovation, Inc.
187 Ballardvale St.
Wilmington, MA 01887 USA
+1.978.694.1008 x123 (o)
+1.781.354.0342 (m)
+1.978.694.1666 (f)
eadams2330 (Skype)
www.securityinnovation.com
Security Innovation - the Software and Crypto Security Company
From: dinis cruz [mailto:dinis.cruz at owasp.org]
Sent: Thursday, November 04, 2010 1:57 PM
To: James McGovern
Cc: cassio at owasp.org; kuai.hinojosa at owasp.org;
eadams at securityinnovation.com; Robert Hansen
Subject: Re: [FWD: Certified OWASP training program]
Hi Ed,
Certification has historically been a hot topic at OWASP, with the reasons
being a mix of 'alergy' to certifications by a considerable part of our
community and the problems in creation an OWASP Certification that is
compatible with OWASP Openness model.
James McGovern (as he describes below) did a an amazing job at trying to
create a Certification for OWASP, unfortunately it was probably too soon for
the OWASP community and we (at the time) didn't have a good picture of how
it could be made to work (and part of that is my fault since I was part of
the group that had a problem with the 'need to have closed questions and
answers' requirement).
Here are a couple comments, which will hopefully clarify the current
situation:
* There is no problem in creating Certifications around OWASP
materials (i.e. not 'OWASP Certifications' but 'Certifications on OWASP {put
project name here}' (we could even have an generic 'Certification on
OWASP'))
* The problem is in OWASP running this certification (which mainly for
the need to have 'closed' questions is a non-starter)
* The only way I could see an 'OWASP Certification' to be created is
one were ALL Questions and Answers are publicly available in the OWASP
Website (and if you think about this idea for a bit, you'll see that it
should work once the number of questions is significant larger than the
questions asked the in exam)
* Even in the case where there is an 'OWASP Certification' or
'Certification around OWASP materials', there is no structure at OWASP that
can handle the exam and certification process (and there is no plans to
create on in the short to medium term)
* The best (and most realistic) scenario is one where 3rd party
commercial companies (like SI) use OWASP as the 'body of knowledge' and
manage themselves the Question generation, Certification brand and Exam
process (of course that OWASP Leaders could be independently involved in
this process (for example helping writing questions) but it is very
important to understand that there is no structure at OWASP that could be
officially involved in this process (for example if SI wants to hire an
OWASP Leader to participate that will need to be a commercial arrangement
between SI and that OWASP Leader)
* In terms of the focus of the Certifications, James presents (below)
a couple good examples of potential target audiences. I would add another
audience that Robert Hansen (CCed) as tried to push OWASP to do, which is
the QA professionals. I.e. create a 'OWASP for QA' Certification that focus
on the minimum WebAppSec knowledge that these key SDL players should have.
* Ultimately there should be a number of 'OWASP based' Certifications
in the market, and it should be the market to decide which one they trust.
* Although It would be hard for OWASP to 'officially' endorse a
certification, we now have (in 2010) a number of ways that OWASP can give a
lot of visibility to Certifications that are created around OWASP materials
* Public reviews of certifications delivered at OWASP Conferences
(created by an OWASP Leaders who go through the proccess)
* Create an 'OWASP Quote' where OWASP Board+Leaders can make an 'on
the record' comment on an OWASP-based certification. See
http://www.owasp.org/index.php/Quotes for an example
* List Certification(s) on a 'Commercial Services' registry that is
still under development but is a perfect medium for this (see
http://www.owasp.org/index.php/OWASP_Related_Commercial_Services)
So in a nutshell. Certifications are very important to OWASP and is
something that if done correctly would had tremendus value to OWASP's
community and help to reach a much wider audience.
Ed, can share some details on your ideas?
Dinis Cruz
On 4 November 2010 16:15, James McGovern <JMcGovern at virtusa.com> wrote:
Approx two years ago, I led a project to create an OWASP certification. At
the time, the collective OWASP community concluded that we should not go
forward due to the fact that by definition, a certification exam usually
mandates that all information is closed source. Likewise, in order for a
certification to be picked up by the Federal Government, they require ISO
certification which counters an open notion in this regard.
Of course, I argued for dual licensing approaches but that didn’t seem to
fly with the masses. Independent of any open/closed debate, I do believe
there are other challenges with the primary challenge being the simple fact
that no one in the OWASP community can collectively define what makes a
great appsec professional. In simple terms, some of us are builders while
others are breakers. We as a community all have our own strengths and
weaknesses and certification that focuses on one or the other could cause a
divisive factor.
The one thing that the community at large did collectively like is to have a
certification with a high failure rate. The notion that you could simply
attend a bootcamp and become an Application Security Specialist or similar
constructs was universally endorsed. We wanted to raise the certification to
a higher bar but in order to do so, at many levels is in conflict with the
need to market the certification. Certifications succeed when the people who
have them are somewhat plentiful (think PMP, CISSP, etc). Since our numbers
would be lower in using higher standards, the ability for it to be
successful in the marketplace may be lower.
My 2010 thinking is a little different in that if I were to resurrect the
effort, I would actually take a different approach. Previous efforts were
targeted towards developer/architect types where nowadays, I am more
inclined to focus on project managers and auditors as the body of knowledge
is a lot more sane. It is more reasonable to expect someone to know the Top
Ten, SAMM, CLASP and Risk Rating than it would be for developers to get
their heads around building and breaking, three different guides, ESAPI,
AntiSamy, CSRFGuard or the dozens of other developer-oriented projects OWASP
is currently championing.
I would say that developers are important and they too need their own
certification, but maybe I would center it around the analysis thought
process. For example, Dinis and his O2 pursuits are finding and discovering
additional ways to look at findings which is valuable regardless of what
role you may play in the SDLC
Anyway, figured I would share a few thoughts. Look forward to continued
dialog on this topic
---------- Forwarded message ----------
From: Cassio Goldschmidt <cassio at owasp.org>
Date: Wed, Nov 3, 2010 at 2:41 PM
Subject: Certified OWASP training program
To: dinis cruz <dinis.cruz at owasp.org>, Kuai Hinojosa
<kuai.hinojosa at owasp.org>, eadams at securityinnovation.com
Dinis, Kuai:
I'd like to introduce you to Ed Adams, CEO of Security innovations. Ed has
some ideas about developer certification that can help move the industryy
forward and help OWASP to fulfill its vision of making security visible.
There is an increasing need for certifications in the SDL and the only
credible provider in the market today is (ISC)2. Ed believes that working
together OWASP and SI can provide another choice to the market.
Ed:
Both Dinis and Kuai are very active OWASP members. Kuai leads the education
committee. Dinis is a very active board member and the master mind behind
the upcoming OWASP Summit.
Best Regards,
Cassio
Virtusa was recently ranked and featured in 2010 Global Services 100, IAOP's
2010 Global Outsourcing 100 sub-list, 2009 Deloitte Technology Fast 500 and
2009 Dataquest-IDC Best Employers Survey among others.
----------------------------------------------------------------------------
-----------------
This message, including any attachments, contains confidential information
intended for a specific individual and purpose, and is intended for the
addressee only. Any unauthorized disclosure, use, dissemination, copying, or
distribution of this message or any of its attachments or the information
contained in this e-mail, or the taking of any action based on it, is
strictly prohibited. If you are not the intended recipient, please notify
the sender immediately by return e-mail and delete this message.
----------------------------------------------------------------------------
-----------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-training/attachments/20101214/3e972c7b/attachment-0001.html
More information about the Owasp-training
mailing list