[Owasp-cert] Pain Points

J. Oquendo sil at infiltrated.net
Wed Jul 23 14:03:44 EDT 2008

Hash: SHA1

james at architectbook.com wrote:

| 1. What do we envision the biggest pain points to be in executing the
| vision of OWASP certification?
| 2. Anyone game to figure out the best practice for capturing questions
| and there answers?
| 3. Sooner or later we need to figure out the process for weeding out the
| numerous duplicate/redundant/worthless/pointless questions that may
| arise. Should we have some rules?
| 4. Independently of the integrity of the questions, how will we
| determine the answers are worded so as to not create serious confusion
| for exam takers?
| 5. I am a big believer in attribution and will desire to give a sense of
| diversity of those who have participated. I was thinking about listing
| first name, last initial, job title and country. Employer would be
| optional but I suspect that most would be suppressed to allow this form
| of acknowledgement.

1) Vendor Neutrality

Keeping things in a format that keeps the majority of the test focused
on say IIS, Windows or Linux, Apache, etc., keeping test takers mum and
holding this cert with high regards. Unlike some of my other certs which
are now dart board fodder... It would be difficult to get individuals
taking the exam from creating uberly stupid cheat sheets. Definitely
wouldn't want it going through a cert factory process where everyone
including an isolated chipmunk without a computer download answers.

A mechanism that might get around to say "de-certifying" someone would
be to create *1* particular question per test taker where you know if it
was ever posted online, it could only come from one source, but that's
time consuming.

2) Question pool perhaps

Split the topics into an area, then poll for questions, weed out the
weak questions, re-poll... Strengthen

3) Unsure... Been @ work since 5am brain not functioning ;)

4) Stop the press... E.g.:

What is an XSS attack

1) Cross site scripting
2) IRC denial of service
3) Attack on the X Windows system
4) all of the above

Even if I wasn't involved in security I could likely pick this answer
using deductive reasoning without understanding the industry. Let's see
I'm taking an exam on web applications... IRC is not web based really,
nor is X Windows... Hrmm Cross Site?

As opposed to:

What's the difference between a persistent and non-persistent XSS?
1) answer a
2) answer b
3) answer c
4) answer d

I believe a little confusion is necessary to weed out easy answers. I've
seen far too many exams where it was easier to remove (for lack of
better terms and sleep) *idiotic* answers. Skip the question, look for
something that makes sense with a keyword from the question.

Its a bit more challenging and rewarding from my perspective to have a
good exam, one that makes you actually take a step back and re-read the
question at least once before skipping to an answer. I thought about say
an entire Unicode based question where the test taker had to convert
something in unicode - a-la binary translation in say the Cisco exams.

But knowing how things have been structured in the past, the choices in
answers can be a dead giveaway

5) see answer #3

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Owasp-cert mailing list