[Owasp-cert] Is this an evil thought?

Matthew Chalmers matthew.chalmers at owasp.org
Sun Jul 27 22:39:49 EDT 2008

I don't think the two ideas (protect exam content and have non-U.S. people
see it) are mutually exclusive but I believe David and James seem to be
talking about two different things: one is protecting the exam content, i.e.
not making it available to anyone and everyone, and the other is the
assumption that we can't protect content given to anyone outside the U.S.,
which I don't think is true.

Who here agrees with the following, or if not why not--I'm not 100% sold on
my own ideas, heh:
1. The exam content should be revised and selected (and known/accessible in
all or in significant part) by only a select few people, call them a peer
review board (not a board like OWASP's board), rather than open to the
public. The people and the number thereof are not set/known now. Maybe it
will be all the people currently subscribed to this list.
2. The people on this content peer review board should not be purposely
limited to be persons only in the U.S., although it might work out that way
naturally because they're all volunteers.
3. Accountability for protecting (i.e. not disseminating, discussing,
divulging, etc.) the exam content made available to the people on this board
should be compulsory and some effort should be made to make this obligation
legally binding to protect OWASP and the reputation/value of the cert. This
might mean signing an NDA-style agreement, license, etc. Taking someone's
word for it probably isn't enough.
4. The people on this board should know and accept that they themselves
might not be able to get the certification(s) due to their privileges.
5. All other aspects of this project should be open to the public and all of
OWASP just like any other OWASP project. This means exam content, once
defined/structured, can come from anywhere, even if it's submitted in a
public way--like posting to this very mail list--but the final product (an
actual exam's content) may not necessarily contain the submitted content at
all or exactly as submitted, and the review board might (and probably
should) come up with its own content that is never seen outside that group
of people (unless you take the exam of course).

This way exam content isn't solely one single person's responsibility, which
has its own drawbacks, yet it isn't open to the public such that
anyone could aggregate all the exam content and come up with a pretty
good cram guide or crib sheet...BUT the rest of the project is still
completely public and transparent. The actual OWASP board might act as an
oversight committee in case there's any complaint about exam content and how
it is chosen, since that part's not completely open. (This isn't necessarily
the same as the exam taker's challenge process.)


On Sun, Jul 27, 2008 at 6:57 PM, <james at architectbook.com> wrote:

> David, I must ask if you believe that all questions and answers should be
> available to everyone or should some mechanism exist to protect the
> integrity of the exam? If you know of a way of accomplishing both, then I
> would love to hear your ideas.
>  -------- Original Message --------
> Subject: Re: [Owasp-cert] Is this an evil thought?
> From: "David H." <dmalloc at users.sourceforge.net>
> Date: Sun, July 27, 2008 7:29 pm
> To: Owasp-cert at lists.owasp.org
> On Mon, Jul 28, 2008 at 12:23 AM, <james**@architectbook.com<http://email.secureserver.net/pcompose.php#Compose>>
> wrote:
> > OWASP already has a board and I wouldn't want to create one that is
> > certification specific. In terms of legal reprecussions, being subject to
> US
> > laws at some level is best accomplished by limiting access all questions
> to
> > those solely in the US.
> I am sorry but are you being serious?
> If that is the case then please unsubscribe me immdeiatey. I do not
> want to give my time to an effort which is not fully transparent and
> open to the everyone, regardless of were they are.
> -rt <https://lists.owasp.org/mailman/listinfo/owasp-cert>
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080727/e2e05589/attachment-0001.html 

More information about the Owasp-cert mailing list