[Owasp-cert] Marketing Question One

Matthew Chalmers matthew.chalmers at owasp.org
Fri Jul 25 21:32:56 EDT 2008

proposal to which you're referring? I've read it...that and the project home
page (http://www.owasp.org/index.php/Category:OWASP_Certification_Project)
should be required reading for anyone involved/on this list!

When I took the survey I didn't interpret the question the same way. I
thought when it was asking if multiple exams was preferred it was asking
about a single cert. So to get one OWASP cert (if there is more than one)
you have to sit for two or more exams. To get another OWASP cert you sit for
another two or more. Multiple levels can come from multiple scoring ranges
on one or more exams, multiple exams, or multiple sets of multiple
exams...and so on. Or a level may not require an exam at all, maybe an
interview (as you mentioned "in person" below).

I do like the idea of at least for advanced level if not everything
requiring something other than a written (computer based/scan-tron/whatever
medium) exam. I helped one of my former employers develop a hands-on ethical
hacking skills exam. No traditional questions. Not even any concrete
objectives, just do a pen test on a given IP and report on what you found.
We had to go through several pilots to get results consistent though. I've
also stood miltary boards and taken the DLPT several times which (for two
out of three areas anyway) whilst it has multiple choice answers the
questions aren't simply questions that have an answer--you have to read or
listen to some situation/material and then answer a question about it...kind
of like your standardised test "word problems" in a way, but not exactly
since it's a foreign language.

Regarding the level titles, how about apprentice, journeyman, master? :-)
Or, simply I, II and III...that way there could be a IV or V if ever needed.
Or we might have a fairly 'easy' entry level at I requiring no exam just
documented training/experience, and II is when you really have to know some
stuff, III harder still, or requiring more time in the field, etc. Just
throwing out ideas. Another is that we might have something like "OWASP
Certified Secure C Developer" and "OWASP Certified Secure Java Developer"
etc. The thing we have to deal with is, if you genericise secure development
to be non-language-specific, not everyone can apply everything to just any
language, and likewise someone who can write solid, secure C code might not
be able to do the same in Java, or whatever. Also we aren't just talking
about development in languages but maybe also as a web server administrator,
infosec person who normally does firewalls that wants to specialise in web
firewallying, etc. The Proposal does mention development, architecture, and
design. I think maybe the goals weren't necessarily written with clear
differences in mind though. (Of course the Proposal also 'dictates' that
there will be ONE exam and it WILL cost $150. So why are we discussing these
things? There are several other things in the Proposal that will hamper us a
little or a lot.)

I am curious to know what 'guidance' was provided by chapter leaders. Or was
everything in the proposal hashed out and decided by them?


On Fri, Jul 25, 2008 at 7:15 PM, <james at architectbook.com> wrote:

> In terms of whether it makes sense to have more than one exam, according to
> the survey data (I will circulate results once we close) it looks like many
> desire multiple exams. Personally, I hate to sit in the same place for
> multiple hours. So, if we have multiple exams, it can result in multiple
> levels.
> Honestly, we haven't really landed on the name of the certification, but
> did explore multiple levels. Not to reinvent the wheel nor avoid reinventing
> the wheel but some aspects/guidance was provided by other OWASP chapter
> leaders which shaped the original proposal. I am curious if everyone here
> has seen the proposal which is posted on the OWASP site.
> What do you think about developer, architect and master as the three
> levels? The third level is in person while the other two are computer exams?
>   -------- Original Message --------
> Subject: Re: [Owasp-cert] Marketing Question One
> From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
> Date: Fri, July 25, 2008 6:52 pm
> To: dmalloc at users.sourceforge.net
> Cc: Owasp-cert at lists.owasp.org
>  Figuring out the purpose of the cert is something I definitely think
> needs to be discussed but I don't necessarily think we should be talking
> about whether our cert should be free, cheap, expensive, or anything else
> until we've gotten to a point in its development when we actually know what
> it's going to cost OWASP to offer it, if anything--at which time we can
> figure out if seeking sponsorship/grants is feasible or appropriate.
> Besides, there may be more than one cert, or there may be one exam to
> ascertain more than one level of skill (e.g. if you get 70% right you're
> basic, 80% intermediate, etc.). Additionally, if the purpose is to assess
> knowledge, that might be different from assessing experience--or the latter
> might be adjunct to the former. If the purpose is just to see how much one
> retained from a training course or book, I don't think that necessarily has
> much weight and it should be part of the training course/book fee, if any.
> Matt
> On Fri, Jul 25, 2008 at 10:46 AM, David H. <dmalloc at users.sourceforge.net>
> wrote:
>> On Fri, Jul 25, 2008 at 4:45 PM,  <james at architectbook.com> wrote:
>> > Should certification be free to employees of organizations that sponsor
>> > OWASP (http://www.owasp.org/index.php/Membership)?
>> >
>> What is the purpose of the certification drive? If it is to promote
>> sane OWASP and to ensure that people are continually educated then
>> certification should be free for everyone. We would need to seek other
>> means of sponsorship and grants to make that happen. I personally
>> think that a peer reviewed model which is free to all is the best way
>> forward.
>> -d
>> --
>> Sent from gmail so do not trust this communication.
>> Do not send me sensitive information here, ask for my none-gmail accounts.
>> "Therefore the considerations of the intelligent always include both
>> benefit and harm." - Sun Tzu
>> _______________________________________________
>> Owasp-cert mailing list
>> Owasp-cert at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-cert
> ------------------------------
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert**@lists.owasp.org<http://email.secureserver.net/pcompose.php#Compose>
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080725/56edf154/attachment-0001.html 

More information about the Owasp-cert mailing list