[Owasp-cert] Deadlines for August

Matthew Chalmers matthew.chalmers at owasp.org
Sun Jul 27 17:50:34 EDT 2008

I completely agree with James here. Except for one thing: The Hartford is a
Fortune 100 company. :-)

All kidding aside, I actually do have a slightly different opinion on a
couple of points. One, not so much a different opinion as another point in
and of itself: do we want to go with the term "developer" or do we want to
promote "software engineering"? This is kind of a 'religious' debate for
some people.

Two, my company also has offices all over the world (in about 80 countries
actually--but we're only Fortune 500, heh), but I disagree with the
implication that there are few software companies doing business only in the
U.S. or EU. I still think we need to make an effort to sanitise the exam of
any geographically/culturally-specific language or meaning. I don't think
OWASP wants to be "big enterprise" exclusive either.


On Sun, Jul 27, 2008 at 7:44 AM, <james at architectbook.com> wrote:

> Here is my at work opinion, so all disclaimers apply. I work for The
> Hartford (or should I say a Fortune 200 enterprise in the Northeast) and the
> importance of building security into applications is something we encourage
> at a variety of levels. In the modern enterprise, software can be built
> offshore where I may never have a single conversation with the developer
> actually writing code to us buying software from vendors such as Microsoft,
> IBM, Oracle, etc where I also may never have a single conversation with the
> developers writing code. I therefore don't have any reason to think that
> "developer" level certifications need to have a communications component. I
> do believe that "architect" level certifications need to have some aspect of
> soft-skills.
> Communication skills is an interesting thing to measure. Many of my peers
> are great writers but absolutely suck when it comes to doing presentations.
> This can be attributable to stage fright, accent, etc. The inverse is also
> true where I have met many great presenters who suck at writing (think Big
> Four type firms).
> In terms of the regional aspects, other than the names of the identifiers,
> I think it is in scope worldwide. My employer has locations in Europe, South
> America and Japan and we can't claim ignorance. How many software companies
> and/or enterprises are only US or Europe based?
>  -------- Original Message --------
> Subject: Re: [Owasp-cert] Deadlines for August
> From: "Joshbw" <joshbw at analyticalengine.net>
> Date: Sat, July 26, 2008 1:31 pm
> To: <owasp-cert at lists.owasp.org>
>  On the subject of essays I'd like to add that in my experience being able
> to communicate effectively is absolutely necessary for security, whether it
> be explaining vulnerabilities found by pentesting to the devs that don't
> necessarily understand the vulnerabilities (has anyone tried explaining CSRF
> to the unenlightened?) or justifying stricter security standards to high
> level development leads.  Multiple choice will not provide any analysis of
> said communication skills, which I think begs a broader question on what the
> intent of the cert really is.   From the project PDF it is stated that the
> following are goals:
> ·         Allow employers to rate their developers and architects on
> security skills so the can be confident that every project has at least one
> "security master" and all of their developers and architects understand the
> common errors and how to avoid them.
> ·         Provide a means for buyers of software and systems vendors to
> measure the secure programming skills of the people who work for the
> supplier.
> ·         Allow developers and architects to identify their gaps in secure
> programming knowledge in the language they use and target education to fill
> those gaps.
> ·         Allow employers to evaluate job candidates and potential
> consultants on their secure design & development skills and knowledge.
> ·         Provide incentive for universities to include secure software
> design & development in required computer science, engineering, and
> programming courses.
> ·         Provide reporting to allow individuals and organizations to
> compare their skills against others in their industry, with similar
> education or experience or in similar regions around the world.
> I interpret these goals to mean that the primary point is to testify to the
> utility of a cert holder to an employer (or business partner/customer of the
> employer).  The more generic we make the test(s), making it communication
> skills and language agnostic, shying away from country specific issues (such
> as SSN in the US, SIN in Canada, etc), and so forth, we are watering down
> the metric for gauging utility.  A company that does business in English (I
> think we can avoid dialectic issues between countries fairly easily) would
> absolutely want to know that a perspective cert holder can communicate
> security knowledge clearly in English (note, clearly doesn't mean
> eloquently, just effectively. This doesn't have to be the GRE written
> portion), and a company that's product services a specific
> country/confederacy should be confident that their security professional
> knows the applicable issues for that region (handling SSN in the US,
> handling any PII in the EU including possibly IPs now, etc).  So with that
> said, are people comfortable with a degradation in the utility of the cert
> by ignoring these things, would they like to include that information in the
> base test, or would it be preferable to have an expansion module for
> specific regions that covers applicable language/legal concerns for that
> region (for example: a separate smaller cert after you get the OWASP cert,
> with specifics for North America, Latin America, APAC, or Europe).
> As for the essay being a better gauge of knowledge and understanding than
> multiple choice, that is only true if you construct a multiple choice with
> only one right answer.  You can very easily make multiple choice questions
> that require in depth understanding by having zero or more answers right and
> making the test taker mark all of the correct (possible leaving blank)
> answers.  It is harder to craft such questions well, and they can be hard as
> heck, but you need to know your stuff to do well.  In that regard it isn't
> much different than essay in terms of knowing the material.
> -          Josh
>  *From:* owasp-cert-bounces at lists.owasp.org [
> mailto:owasp-cert-bounces at lists.owasp.org<owasp-cert-bounces at lists.owasp.org><owasp-cert-bounces at lists.owasp.org>]
> *On Behalf Of *james at architectbook.com
> *Sent:* Friday, July 25, 2008 10:14 PM
> *To:* Gary Palmer
> *Cc:* owasp-cert at lists.owasp.org
> *Subject:* Re: [Owasp-cert] Deadlines for August
>  Gary, I am a huge fan of essays. If you have ever taken the Sun
> certification for Java, they use this approach. The second advantage is that
> I could possibly score lots of them in free time. Could make for interesting
> reading on the John. Maybe it could be peer-reviewed by multiple chapter
> leaders with voting. I think this is the credibility this project needs.
> Likewise, I think I need to further refine the breakdown to reflect
> developer-level concerns vs architect-level concerns (I can see my
> enterpriseyness showing). I will be sending out additional stuff as time
> allows over the weekend.
>  -------- Original Message --------
> Subject: Re: [Owasp-cert] Deadlines for August
> From: "Gary Palmer" <owasp at getmymail.org>
> Date: Fri, July 25, 2008 9:50 pm
> To: <owasp-cert at lists.owasp.org>
>   Interestingly enough, I am preparing for the CBEST which is the first
> step in obtaining a teaching credential.  The CBEST is a 3 part exam, the
> first deals with reading and comprehension, the second is math and the third
> is an essay.  The R&C is split between knowing what you read, understanding
> what you read, and then critical analysis/research analysis/authors
> perspective/main point/feelings/etc.  The math seems to be fairly straight
> forward.  The essay is 2 compositions, the first is analyze a given
> situation and the other is to write about a personal experience.
> The grading is scaled and the combined score must be passing.  There is a
> minimum for each section to pass, but just missing in one and exceeding in
> another to have a combined passing score will work too.
> More at: http://www.cbest.nesinc.com/CA14_overview.asp
> Maybe we should consider this type of approach, the essay would certainly
> challenge the person and provide a record versus a personal meeting that may
> be biased by personalities.  The different sections could measure depth and
> understanding of knowledge for multiple degrees of certification.  Also the
> CBEST allows repeats where you can focus on one section or repeat all, in
> order to improve your scores.  An interesting approach and unique when I
> compare to the assorted other certification exams I have taken.
> Cheers,
> Gary Palmer
>  ------------------------------
> *From:* owasp-cert-bounces at lists.owasp.org [
> mailto:owasp-cert-bounces at lists.owasp.org<owasp-cert-bounces at lists.owasp.org><owasp-cert-bounces at lists.owasp.org>]
> *On Behalf Of *Matthew Chalmers
> *Sent:* Friday, July 25, 2008 5:53 PM
> *To:* dmalloc at users.sourceforge.net
> *Cc:* owasp-cert at lists.owasp.org
> *Subject:* Re: [Owasp-cert] Deadlines for August
>  No offense to James but again I agree with David. I think pure
> multiple-guess should be avoided--not to mention a pure multiple-guess
> product that's been rushed because of concerns with time to market or
> delivering 'something ok' sooner rather than 'something good' later.
> Matt
>  On Fri, Jul 25, 2008 at 7:40 PM, David H. <dmalloc at users.sourceforge.net>
> wrote:
>  > If we stick to simple multiple choice for the first exam, it means that
> we
> > have delivered something of value and can in the meantime buy us more
> time
> > to work on more complex scenarios.
> >
> That is exactly what I try to dispute. I do not see any value in
> Multiple Choice Questionaires not even when you are purely testing for
> relearned value. That stems from a long history with Multiple Choice
> Tests and the desire to create meaningful exams for a new paradigm of
> learning.
>  --
> Sent from gmail so do not trust this communication.
> Do not send me sensitive information here, ask for my none-gmail accounts.
> "Therefore the considerations of the intelligent always include both
> benefit and harm." - Sun Tzu
>  ------------------------------
>  _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org<http://email.secureserver.net/pcompose.php#Compose>
> https://lists.owasp.org/mailman/listinfo/owasp-cert
>   ------------------------------
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert**@lists.owasp.org<http://email.secureserver.net/pcompose.php#Compose>
> https://lists.owasp.org/mailman/listinfo/owasp-cert
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080727/a196aa44/attachment-0001.html 

More information about the Owasp-cert mailing list