[Owasp-cert] Pain Points

J. Oquendo sil at infiltrated.net
Wed Jul 23 14:03:44 EDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

james at architectbook.com wrote:

| 1. What do we envision the biggest pain points to be in executing the
| vision of OWASP certification?
| 2. Anyone game to figure out the best practice for capturing questions
| and there answers?
| 3. Sooner or later we need to figure out the process for weeding out the
| numerous duplicate/redundant/worthless/pointless questions that may
| arise. Should we have some rules?
| 4. Independently of the integrity of the questions, how will we
| determine the answers are worded so as to not create serious confusion
| for exam takers?
| 5. I am a big believer in attribution and will desire to give a sense of
| diversity of those who have participated. I was thinking about listing
| first name, last initial, job title and country. Employer would be
| optional but I suspect that most would be suppressed to allow this form
| of acknowledgement.


1) Vendor Neutrality

Keeping things in a format that keeps the majority of the test focused
on say IIS, Windows or Linux, Apache, etc., keeping test takers mum and
holding this cert with high regards. Unlike some of my other certs which
are now dart board fodder... It would be difficult to get individuals
taking the exam from creating uberly stupid cheat sheets. Definitely
wouldn't want it going through a cert factory process where everyone
including an isolated chipmunk without a computer download answers.

A mechanism that might get around to say "de-certifying" someone would
be to create *1* particular question per test taker where you know if it
was ever posted online, it could only come from one source, but that's
time consuming.


2) Question pool perhaps

Split the topics into an area, then poll for questions, weed out the
weak questions, re-poll... Strengthen

3) Unsure... Been @ work since 5am brain not functioning ;)

4) Stop the press... E.g.:

What is an XSS attack

1) Cross site scripting
2) IRC denial of service
3) Attack on the X Windows system
4) all of the above

Even if I wasn't involved in security I could likely pick this answer
using deductive reasoning without understanding the industry. Let's see
I'm taking an exam on web applications... IRC is not web based really,
nor is X Windows... Hrmm Cross Site?

As opposed to:

What's the difference between a persistent and non-persistent XSS?
1) answer a
2) answer b
3) answer c
4) answer d

I believe a little confusion is necessary to weed out easy answers. I've
seen far too many exams where it was easier to remove (for lack of
better terms and sleep) *idiotic* answers. Skip the question, look for
something that makes sense with a keyword from the question.

Its a bit more challenging and rewarding from my perspective to have a
good exam, one that makes you actually take a step back and re-read the
question at least once before skipping to an answer. I thought about say
an entire Unicode based question where the test taker had to convert
something in unicode - a-la binary translation in say the Cisco exams.

But knowing how things have been structured in the past, the choices in
answers can be a dead giveaway

5) see answer #3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSIdx0YOeOV2sx4+mAQJEWQ//RFDSRRxaaPZD6YJtWTMUfU1/IIlcn+EJ
Pw34IPoGK23IjTrb0fA860e5pnFPYRyYsvuC3RpyEu6AiAqkhqYA3vAVmXBH57xs
bpqlDqa4/+k4ZQBqq0zhT1OHEolL5ms06NYTAkDoTOJGXvP0NLo37ai0R00DTZ2L
ouIuaG/RMLTi0E1AcAJBjhPWEyoBB8icg4yGWXlfq09otpjBvUPdUYnRhKXZSrwB
bOAo5pdkzruyg356D53TgBT3hamAqr+T8IjpcT7pFQ4YdRJ5D34z9iXI4ra7Sf/h
NNNIghNhtzlCMksizjyoCXX6qYpqREC0+E7/qykGimap9MS9XrHa8IDdtovabwQv
iENWD8Ga4DkFzkUbTJWoxq8xXgiRFGxpiIDS4Kiyzwn5/X8fQ9lMzDqNsRUfyFDK
u8Stqpv47lYxLbEy1tN/3LgxOTjzxQhZpfvpJqew1UmQHFcjWD5V5Sxs4MBdplqm
K282obPKXMIqvfJoTXN+318Xozb0jKRQ0W4q47kwpZONj3KYTT9p6HkrHpxNk28D
v9vgUiSUfPd7/Oiu02xAAu+3qDv1j/al23CQFXFtgS+RRIh4p8kg3EgM2jV8fFGQ
CxOyBBpT729f45Bq+sy0HT1yB9y0G4VUJlsWT68Rm8VkHGo1JpLJghiSFVVaikTa
kvabfhd3beQ=
=54jN
-----END PGP SIGNATURE-----


More information about the Owasp-cert mailing list