[Owasp-board] [Committees-chairs] SANS

Jim Manico jim.manico at owasp.org
Wed May 2 02:50:42 UTC 2012

Dan's email is getting rejected by the board list, see below.

Jim Manico
(808) 652-3805

On May 1, 2012, at 7:00 PM, Dan Cornell <dan at denimgroup.com> wrote:


 This proposal has made me uncomfortable for a bit but I have struggled to
articulate why. I'm generally negative on IT certifications and I've been
vocally negative on OWASP Certifications in the past so that certainly has
something to do with this feeling, but perhaps that isn't all of it.  I
think I finally have a couple of semi-coherent thoughts on the matter:

 (1) Brand Confusion:
-It has been tough for me to keep track of what OWASP would be doing, what
SANS would be doing and what GIAC would be doing. Think of how this would
be for folks who were new to the application security space. We can play
word games all we like, but one first glance a SANS-based certification and
training regimen would look to be –THE– accepted way that OWASP suggests
folks train their people and certify who is qualified.
-Also SANS has been calling their application security-focused conferences
AppSec. I believe OWASP started that in New Jersey back in good old 2004 (
https://www.owasp.org/index.php/OWASP_AppSec_NYC_2004) Seems pretty easy to
confuse the two. Perhaps this is a separate issue…

 (2) Straw Man: The OWASP Scanner
-Instead of an OWASP Certification, let's say that a specific company (ABC
Corp) wanted to develop and market an "OWASP App Scanner." ABC Corp has
never been a Corporate Supporter (https://www.owasp.org/index.php/Membership)
but they want to develop a dynamic scanning technology, pay the OWASP
community to develop rules for that scanning technology, but they want to
keep the rules and the source code to the scanner proprietary. But they
promise to pay OWASP some percentage of the scanner revenues and they need
to market this scanner as an "OWASP App Scanner" Is that a reasonable
analog to this situation? How would the OWASP community feel about that?

 I know most of the SANS folks that have been mentioned in this thread and
I agree that they're legit people and not monsters. Also I talked to Dennis
Kirby a year or so ago about SANS becoming an OWASP Corporate Supporter but
had no luck – perhaps I'm part of the "communication problems" on our side,
but I feel like I made a decent case and SANS chose not to get involved.

 I suppose this feels to me like SANS trying to take a lot of advantage of
the OWASP brand with no history of contribution to OWASP (and arguably,
given conference naming, a negative history in that regard) And I'm not
sure what OWASP gets in return. Some revenue – which is nice. But how would
a move like this impact OWASP's ability to interact with other potential
industry and corporate supporters in the future?

 Again – not trying to be super-negative on this, but the proposal sets my
OWASP spider sense a'tingling and I think we, as a community, need to be
very careful how we decide to proceed.



  From: Martin Knobloch <martin.knobloch at owasp.org>
Reply-To: Martin Knobloch <martin.knobloch at owasp.org>
Date: Tuesday, May 1, 2012 5:17 PM
To: Jim Manico <jim.manico at owasp.org>
Cc: OWASP List <owasp-board at lists.owasp.org>, Helen Gao <helen.gao at owasp.org>,
Owasp Chairs <committees-chairs at lists.owasp.org>
Subject: Re: [Committees-chairs] [Owasp-board] SANS


Of course, we should review our goals and targets frequently. Just to
remind, this one is reviewed during the last summit in 2011. Just a bit
longer then a year ago.

This discussion should not be about if industry really needs a solid web
security professional certification, nor the sense and nonsense of
certification in general.

The question in first place is if OWASP should get activity get involved in
the certification business?
Second, can OWASP meet the requirements to maintain a valuable
certification or (third) do so with and partner organisation?

Therefore, can stay independent if we choose any vendor (as, the partner
should been not to be chosen before the question above have been answered)
to enable OWASP certification in name of OWASP!

Last, will this initiative benefit the industry in general and especially
the OWASP goals, targets without causing more harm then good.

Seen the ongoing struggle keeping projects (tools and documentation) up to
date, I can not see how we could create and maintain a valuable
I do not see how we can maintain independence by getting into such
commercial market.

I do not see how the OWASP's mission, OWASP itself and the industry in
general would profit from this!

*From: *Jim Manico <jim.manico at owasp.org>
*Date: *Tue, 01 May 2012 14:42:12 -0700
*To: *Martin Knobloch<martin.knobloch at owasp.org>
*Cc: *Helen Gao<helen.gao at owasp.org>; OWASP Foundation Board List<
owasp-board at lists.owasp.org>; Owasp Committ Chairs<
committees-chairs at lists.owasp.org>
*Subject: *Re: [Committees-chairs] [Owasp-board] SANS


Perfection is a dynamic and moving target. I think it's prudent to re-start
this conversation, I state with respect.

The industry really needs a solid web security professional certification.
I feel it serves the mission well.

Aloha Martin!
- Jim

 This has been proposed and discussed during the 'smaller Summit' during the
OWASP AppSec DC conference 2009.
The outcome was clear (as it was during the working sessions at the
Summit's 2008 and 2011), that the OWASP community was clearly agains it.

As stated in the Red book of the OWASP code of conduct, "OWASP does not
endorse any certification".
This, first of all, would be harmed when supporting the SANS initiative.
Back in 2009, there as agreed to SANS, each OWASP member can be involved
and helping SANS in this effort, as long this is done in his or hers own
name and title!
As chair of the Global Education Committee, the representative of SANS and
I agreed to continue this as a call to the OWASP community for members who
are willing to be involved in the SANS certification. Unfortunately, there
never came any reply back from her.

Not to forget, if SANS is planing an certification based on OWASP
material,that is what it is:
*As Certifications based on OWASP material, there cannot be an OWASP
Certification by SANS!

On Tue, May 1, 2012 at 3:28 PM, Helen Gao <helen.gao at owasp.org>
<helen.gao at owasp.org> wrote:

 Helen's 2 cents: The subject of certification is very interesting indeed
and long debated within OWASP. SANS is well established and has a large
network. Their conferences are of quality but at a price. From the
Membership Committee's prospective, networking, free conference will
certainly add value to OWASP.  Is this the 1st time SANS approached
OWASP?  OWASP and SANS overlap, or compete, in a way. It make sense
for thetwo to corporate. As Eoin pointed out, the openness of the
content is
probably the key issue.

 On Tue, May 1, 2012 at 5:12 AM, Eoin <eoin.keary at owasp.org>
<eoin.keary at owasp.org> wrote:

Sounds interesting.

Questions initially I have are:

Who controls the content?

Shall the content/examination be open source?

We did say that organisations can build a certification "based on OWASP"
but OWASP would not have an "OWASP certification".

Aloha :)


 On 1 May 2012 09:44, Jim Manico <jim.manico at owasp.org>
<jim.manico at owasp.org> wrote:

  SANS has offered to build an OWASP certification and give a percentage
of the proceeds to OWASP. They already have a GWEB certification that
could serve as a base for the program.

SANS has also offered to allow OWASP chapters to meet at it's
conferences around the world, lets folks attend OWASP meetings for free
(of course), serve drinks, and otherwise back off no-strings-attached.

SANS is of course a for-profit commercial enterprise.

Frank Kim, Denis Kirby and Jason Lam are the folks who run the SANS
AppSec program and made this offer to OWASP. They feel it's of value to
SANS just to have OWASP folks be aware that SANS exists, and they can
help the community at the same time.

I've known Frank and Jason for some thing and think they are good eggs.
Worth discussing...

Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host
jim at owasp.orgwww.owasp.org
Committees-chairs mailing
listCommittees-chairs at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/committees-chairs

Eoin Keary
OWASP Global Board Member (Vice Chair)

Owasp-board mailing
listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board

Owasp-board mailing
listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board

Committees-chairs mailing
listCommittees-chairs at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/committees-chairs

Jim Manico

Connections Committee Chair
Cheatsheet Series Product Manager
OWASP Podcast Producer/Host

jim at owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120501/8fd4efd5/attachment.html>

More information about the Owasp-board mailing list