[Owasp-cert] Deadlines for August

Joshbw joshbw at analyticalengine.net
Sat Jul 26 13:31:48 EDT 2008

On the subject of essays I’d like to add that in my experience being able to communicate effectively is absolutely necessary for security, whether it be explaining vulnerabilities found by pentesting to the devs that don’t necessarily understand the vulnerabilities (has anyone tried explaining CSRF to the unenlightened?) or justifying stricter security standards to high level development leads.  Multiple choice will not provide any analysis of said communication skills, which I think begs a broader question on what the intent of the cert really is.   From the project PDF it is stated that the following are goals:


·         Allow employers to rate their developers and architects on security skills so the can be confident that every project has at least one "security master" and all of their developers and architects understand the common errors and how to avoid them.

·         Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.

·         Allow developers and architects to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.

·         Allow employers to evaluate job candidates and potential consultants on their secure design & development skills and knowledge.

·         Provide incentive for universities to include secure software design & development in required computer science, engineering, and programming courses.

·         Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.


I interpret these goals to mean that the primary point is to testify to the utility of a cert holder to an employer (or business partner/customer of the employer).  The more generic we make the test(s), making it communication skills and language agnostic, shying away from country specific issues (such as SSN in the US, SIN in Canada, etc), and so forth, we are watering down the metric for gauging utility.  A company that does business in English (I think we can avoid dialectic issues between countries fairly easily) would absolutely want to know that a perspective cert holder can communicate security knowledge clearly in English (note, clearly doesn’t mean eloquently, just effectively. This doesn’t have to be the GRE written portion), and a company that’s product services a specific country/confederacy should be confident that their security professional knows the applicable issues for that region (handling SSN in the US, handling any PII in the EU including possibly IPs now, etc).  So with that said, are people comfortable with a degradation in the utility of the cert by ignoring these things, would they like to include that information in the base test, or would it be preferable to have an expansion module for specific regions that covers applicable language/legal concerns for that region (for example: a separate smaller cert after you get the OWASP cert, with specifics for North America, Latin America, APAC, or Europe).


As for the essay being a better gauge of knowledge and understanding than multiple choice, that is only true if you construct a multiple choice with only one right answer.  You can very easily make multiple choice questions that require in depth understanding by having zero or more answers right and making the test taker mark all of the correct (possible leaving blank) answers.  It is harder to craft such questions well, and they can be hard as heck, but you need to know your stuff to do well.  In that regard it isn’t much different than essay in terms of knowing the material.


-          Josh


From: owasp-cert-bounces at lists.owasp.org [mailto:owasp-cert-bounces at lists.owasp.org] On Behalf Of james at architectbook.com
Sent: Friday, July 25, 2008 10:14 PM
To: Gary Palmer
Cc: owasp-cert at lists.owasp.org
Subject: Re: [Owasp-cert] Deadlines for August


Gary, I am a huge fan of essays. If you have ever taken the Sun certification for Java, they use this approach. The second advantage is that I could possibly score lots of them in free time. Could make for interesting reading on the John. Maybe it could be peer-reviewed by multiple chapter leaders with voting. I think this is the credibility this project needs.

Likewise, I think I need to further refine the breakdown to reflect developer-level concerns vs architect-level concerns (I can see my enterpriseyness showing). I will be sending out additional stuff as time allows over the weekend.

-------- Original Message --------
Subject: Re: [Owasp-cert] Deadlines for August
From: "Gary Palmer" <owasp at getmymail.org>
Date: Fri, July 25, 2008 9:50 pm
To: <owasp-cert at lists.owasp.org>

Interestingly enough, I am preparing for the CBEST which is the first step in obtaining a teaching credential.  The CBEST is a 3 part exam, the first deals with reading and comprehension, the second is math and the third is an essay.  The R&C is split between knowing what you read, understanding what you read, and then critical analysis/research analysis/authors perspective/main point/feelings/etc.  The math seems to be fairly straight forward.  The essay is 2 compositions, the first is analyze a given situation and the other is to write about a personal experience.


The grading is scaled and the combined score must be passing.  There is a minimum for each section to pass, but just missing in one and exceeding in another to have a combined passing score will work too.


More at: http://www.cbest.nesinc.com/CA14_overview.asp


Maybe we should consider this type of approach, the essay would certainly challenge the person and provide a record versus a personal meeting that may be biased by personalities.  The different sections could measure depth and understanding of knowledge for multiple degrees of certification.  Also the CBEST allows repeats where you can focus on one section or repeat all, in order to improve your scores.  An interesting approach and unique when I compare to the assorted other certification exams I have taken.



Gary Palmer




From: owasp-cert-bounces at lists.owasp.org [mailto:owasp-cert-bounces at lists.owasp.org] On Behalf Of Matthew Chalmers
Sent: Friday, July 25, 2008 5:53 PM
To: dmalloc at users.sourceforge.net
Cc: owasp-cert at lists.owasp.org
Subject: Re: [Owasp-cert] Deadlines for August

No offense to James but again I agree with David. I think pure multiple-guess should be avoided--not to mention a pure multiple-guess product that's been rushed because of concerns with time to market or delivering 'something ok' sooner rather than 'something good' later.



On Fri, Jul 25, 2008 at 7:40 PM, David H. <dmalloc at users.sourceforge.net> wrote:

> If we stick to simple multiple choice for the first exam, it means that we
> have delivered something of value and can in the meantime buy us more time
> to work on more complex scenarios.

That is exactly what I try to dispute. I do not see any value in
Multiple Choice Questionaires not even when you are purely testing for
relearned value. That stems from a long history with Multiple Choice
Tests and the desire to create meaningful exams for a new paradigm of

Sent from gmail so do not trust this communication.
Do not send me sensitive information here, ask for my none-gmail accounts.

"Therefore the considerations of the intelligent always include both
benefit and harm." - Sun Tzu



Owasp-cert mailing list
Owasp-cert at lists.owasp.org <http://email.secureserver.net/pcompose.php#Compose> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080726/3e8e4b09/attachment-0001.html 

More information about the Owasp-cert mailing list