[Owasp-board] [Committees-chairs] SANS
martin.knobloch at owasp.org
Tue May 1 22:17:05 UTC 2012
Of course, we should review our goals and targets frequently. Just to remind, this one is reviewed during the last summit in 2011. Just a bit longer then a year ago.
This discussion should not be about if industry really needs a solid web security professional certification, nor the sense and nonsense of certification in general.
The question in first place is if OWASP should get activity get involved in the certification business?
Second, can OWASP meet the requirements to maintain a valuable certification or (third) do so with and partner organisation?
Therefore, can stay independent if we choose any vendor (as, the partner should been not to be chosen before the question above have been answered) to enable OWASP certification in name of OWASP!
Last, will this initiative benefit the industry in general and especially the OWASP goals, targets without causing more harm then good.
Seen the ongoing struggle keeping projects (tools and documentation) up to date, I can not see how we could create and maintain a valuable certification!
I do not see how we can maintain independence by getting into such commercial market.
I do not see how the OWASP's mission, OWASP itself and the industry in general would profit from this!
From: Jim Manico <jim.manico at owasp.org>
Date: Tue, 01 May 2012 14:42:12
To: Martin Knobloch<martin.knobloch at owasp.org>
Cc: Helen Gao<helen.gao at owasp.org>; OWASP Foundation Board List<owasp-board at lists.owasp.org>; Owasp Committ Chairs<committees-chairs at lists.owasp.org>
Subject: Re: [Committees-chairs] [Owasp-board] SANS
Perfection is a dynamic and moving target. I think it's prudent to
re-start this conversation, I state with respect.
The industry really needs a solid web security professional
certification. I feel it serves the mission well.
> This has been proposed and discussed during the 'smaller Summit' during the
> OWASP AppSec DC conference 2009.
> The outcome was clear (as it was during the working sessions at the
> Summit's 2008 and 2011), that the OWASP community was clearly agains it.
> As stated in the Red book of the OWASP code of conduct, "OWASP does not
> endorse any certification".
> This, first of all, would be harmed when supporting the SANS initiative.
> Back in 2009, there as agreed to SANS, each OWASP member can be involved
> and helping SANS in this effort, as long this is done in his or hers own
> name and title!
> As chair of the Global Education Committee, the representative of SANS and
> I agreed to continue this as a call to the OWASP community for members who
> are willing to be involved in the SANS certification. Unfortunately, there
> never came any reply back from her.
> Not to forget, if SANS is planing an certification based on OWASP material,
> that is what it is:
> *As Certifications based on OWASP material, there cannot be an OWASP
> Certification by SANS!
> On Tue, May 1, 2012 at 3:28 PM, Helen Gao <helen.gao at owasp.org> wrote:
>> Helen's 2 cents: The subject of certification is very interesting indeed
>> and long debated within OWASP. SANS is well established and has a large
>> network. Their conferences are of quality but at a price. From the
>> Membership Committee's prospective, networking, free conference will
>> certainly add value to OWASP. Is this the 1st time SANS approached
>> OWASP? OWASP and SANS overlap, or compete, in a way. It make sense for the
>> two to corporate. As Eoin pointed out, the openness of the content is
>> probably the key issue.
>> On Tue, May 1, 2012 at 5:12 AM, Eoin <eoin.keary at owasp.org> wrote:
>>> Sounds interesting.
>>> Questions initially I have are:
>>> Who controls the content?
>>> Shall the content/examination be open source?
>>> We did say that organisations can build a certification "based on OWASP"
>>> but OWASP would not have an "OWASP certification".
>>> Aloha :)
>>> On 1 May 2012 09:44, Jim Manico <jim.manico at owasp.org> wrote:
>>>> SANS has offered to build an OWASP certification and give a percentage
>>>> of the proceeds to OWASP. They already have a GWEB certification that
>>>> could serve as a base for the program.
>>>> SANS has also offered to allow OWASP chapters to meet at it's
>>>> conferences around the world, lets folks attend OWASP meetings for free
>>>> (of course), serve drinks, and otherwise back off no-strings-attached.
>>>> SANS is of course a for-profit commercial enterprise.
>>>> Frank Kim, Denis Kirby and Jason Lam are the folks who run the SANS
>>>> AppSec program and made this offer to OWASP. They feel it's of value to
>>>> SANS just to have OWASP folks be aware that SANS exists, and they can
>>>> help the community at the same time.
>>>> I've known Frank and Jason for some thing and think they are good eggs.
>>>> Worth discussing...
>>>> Jim Manico
>>>> Connections Committee Chair
>>>> Cheatsheet Series Product Manager
>>>> OWASP Podcast Producer/Host
>>>> jim at owasp.org
>>>> Committees-chairs mailing list
>>>> Committees-chairs at lists.owasp.org
>>> Eoin Keary
>>> OWASP Global Board Member (Vice Chair)
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
> Committees-chairs mailing list
> Committees-chairs at lists.owasp.org
Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
jim at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board