[Owasp-cert] Deadlines for August

Matthew Chalmers matthew.chalmers at owasp.org
Fri Jul 25 23:53:33 EDT 2008

I definitely see your point about writing the .NET version of WebGoat...of
course it's designed to be flawed, haha. ;-P I just thought of something
else too. When I got my GSNA it was back when SANS/GIAC was still requiring
a research paper rather than having it be optional for an extra gold star.
They obviously figured out some way to grade these papers. Is anyone from
SANS on this list? I wouldn't want people who failed to automatically start
ranting about a lack of objectivity...


On Fri, Jul 25, 2008 at 10:23 PM, <james at architectbook.com> wrote:

> Several thoughts:
> 1. For the record, I think we need to test above and beyond the OWASP
> Application Security Desk Reference Project. While it is over 1K pages, I
> still think it is incomplete.
> 2. I think it is safe to assume that most IT folks internationally or even
> next door just plain suck at written communication. This is a historical
> problem ever since we were called data processing.
> 3. In terms of essays, I think there is no need to worry. The last time I
> visited HR, I asked for a count of the number of languages spoken by my IT
> peers and at last count it was 43 distinct. During the day, I run around
> being enterprisey and don't have any issues with voluntelling some of my
> peers that they are now official OWASP reviewers. Folks from Microsoft,
> Oracle, IBM probably have counts even higher. So, the action item I guess is
> to noodle how to get country diversity into the mix. The problem you
> describe usually doesn't occur in the America's or Europe and could be
> isolated to Asian & African countries.
> 4. I would actually say that one form of waiver from writing comprehensive
> documentation is to instead deliver working software. If someone who can't
> write a lick of English but decides to mercilessly contribute to writing the
> .NET version of WebGoat most certainly understands web application
> security...
>  -------- Original Message --------
> Subject: Re: [Owasp-cert] Deadlines for August
> From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
> Date: Fri, July 25, 2008 10:18 pm
> To: "Gary Palmer" <owasp at getmymail.org>
> Cc: owasp-cert at lists.owasp.org
>  I like the idea of understanding in multiple distinct areas, kind of like
> domains in a 'CBOK'. I also like the idea of being able to redo pieces
> (after a certain amount wait time maybe) if we do go with some formula that
> gets you a higher level. For example if there are five domains...five exams
> maybe...we say you have to get at least x% in each to be a 'master' but if
> you do great on four of them but only average on the 5th, you're not a
> master until you retake that 5th part and get the minimum qualifying score.
> It's an idea anyway.
> I'm not so sure about the essay. I like essays and fill-in-the-blank in
> general, however, we're talking about a very wide audience, much wider than
> that of the CBEST. People who will want (and may deserve) an OWASP cert will
> not necessarily speak English, not necessarily have good written
> communication skills, etc. We're not testing those things, we're just
> testing...whatever we're testing relating to web application security. ;-)
> Also, if we grade tests rather than a third party like VUE, we may not get
> competent volunteers who speak every language in which we may offer the
> test. Plus even if we had the luxury of being able to require English, even
> good English, of our test-takers, that would mean we'd have to ensure our
> test-graders were that much more competent since they're reading essays
> rather than just checking to make sure the correct box was ticked. I wonder
> if an essay just for the highest level would be do-able even.
> Matt
>   On Fri, Jul 25, 2008 at 8:50 PM, Gary Palmer <owasp at getmymail.org>
> wrote:
>>  Interestingly enough, I am preparing for the CBEST which is the first
>> step in obtaining a teaching credential.  The CBEST is a 3 part exam, the
>> first deals with reading and comprehension, the second is math and the third
>> is an essay.  The R&C is split between knowing what you read, understanding
>> what you read, and then critical analysis/research analysis/authors
>> perspective/main point/feelings/etc.  The math seems to be fairly straight
>> forward.  The essay is 2 compositions, the first is analyze a given
>> situation and the other is to write about a personal experience.
>> The grading is scaled and the combined score must be passing.  There is a
>> minimum for each section to pass, but just missing in one and exceeding in
>> another to have a combined passing score will work too.
>> More at: http://www.cbest.nesinc.com/CA14_overview.asp
>> Maybe we should consider this type of approach, the essay would certainly
>> challenge the person and provide a record versus a personal meeting that may
>> be biased by personalities.  The different sections could measure depth and
>> understanding of knowledge for multiple degrees of certification.  Also the
>> CBEST allows repeats where you can focus on one section or repeat all, in
>> order to improve your scores.  An interesting approach and unique when I
>> compare to the assorted other certification exams I have taken.
>> Cheers,
>> Gary Palmer
>>  ------------------------------
>> *From:* owasp-cert-bounces at lists.owasp.org [mailto:
>> owasp-cert-bounces at lists.owasp.org] *On Behalf Of *Matthew Chalmers
>> *Sent:* Friday, July 25, 2008 5:53 PM
>> *To:* dmalloc at users.sourceforge.net
>> *Cc:* owasp-cert at lists.owasp.org
>> *Subject:* Re: [Owasp-cert] Deadlines for August
>>    No offense to James but again I agree with David. I think pure
>> multiple-guess should be avoided--not to mention a pure multiple-guess
>> product that's been rushed because of concerns with time to market or
>> delivering 'something ok' sooner rather than 'something good' later.
>> Matt
>> On Fri, Jul 25, 2008 at 7:40 PM, David H. <dmalloc at users.sourceforge.net>
>> wrote:
>>> > If we stick to simple multiple choice for the first exam, it means that
>>> we
>>> > have delivered something of value and can in the meantime buy us more
>>> time
>>> > to work on more complex scenarios.
>>> >
>>> That is exactly what I try to dispute. I do not see any value in
>>> Multiple Choice Questionaires not even when you are purely testing for
>>> relearned value. That stems from a long history with Multiple Choice
>>> Tests and the desire to create meaningful exams for a new paradigm of
>>> learning.
>>>  --
>>> Sent from gmail so do not trust this communication.
>>> Do not send me sensitive information here, ask for my none-gmail
>>> accounts.
>>> "Therefore the considerations of the intelligent always include both
>>> benefit and harm." - Sun Tzu
>> _______________________________________________
>> Owasp-cert mailing list
>> Owasp-cert at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-cert
>   ------------------------------
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert**@lists.owasp.org<http://email.secureserver.net/pcompose.php#Compose>
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080725/1562c4aa/attachment.html 

More information about the Owasp-cert mailing list