[Owasp-cert] Is this an evil thought?
chw at hauser-wenz.de
Mon Jul 28 06:43:45 EDT 2008
We’re probably all biased here depending on where we live, but as OWASP is a world-wide effort, there should be no obstacles that the OWASP certification can’t. We need some kind of NDA anyway, so there must be a way to create one that’s internationally binding … : -)
Matt, you nailed it. The one aspect of my comment regarding protection and those outside the United States that is missing is that if lots of folks contribute to making the best kick butt certification exam on the planet and some bleep exposes all the questions causing all of us to start from scratch, I would most certainly desire for this person to be the US, because I would want to personally own them in a court of law and otherwise!
I was debating who should see all the questions. I am all in favor for reviewers being in other parts of the planet as long as they don't see all the questions.
-------- Original Message --------
Subject: Re: [Owasp-cert] Is this an evil thought?
From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
Date: Sun, July 27, 2008 10:39 pm
To: owasp-cert at lists.owasp.org
I don't think the two ideas (protect exam content and have non-U.S. people see it) are mutually exclusive but I believe David and James seem to be talking about two different things: one is protecting the exam content, i.e. not making it available to anyone and everyone, and the other is the assumption that we can't protect content given to anyone outside the U.S., which I don't think is true.
Who here agrees with the following, or if not why not--I'm not 100% sold on my own ideas, heh:
1. The exam content should be revised and selected (and known/accessible in all or in significant part) by only a select few people, call them a peer review board (not a board like OWASP's board), rather than open to the public. The people and the number thereof are not set/known now. Maybe it will be all the people currently subscribed to this list.
2. The people on this content peer review board should not be purposely limited to be persons only in the U.S., although it might work out that way naturally because they're all volunteers.
3. Accountability for protecting (i.e. not disseminating, discussing, divulging, etc.) the exam content made available to the people on this board should be compulsory and some effort should be made to make this obligation legally binding to protect OWASP and the reputation/value of the cert. This might mean signing an NDA-style agreement, license, etc. Taking someone's word for it probably isn't enough.
4. The people on this board should know and accept that they themselves might not be able to get the certification(s) due to their privileges.
5. All other aspects of this project should be open to the public and all of OWASP just like any other OWASP project. This means exam content, once defined/structured, can come from anywhere, even if it's submitted in a public way--like posting to this very mail list--but the final product (an actual exam's content) may not necessarily contain the submitted content at all or exactly as submitted, and the review board might (and probably should) come up with its own content that is never seen outside that group of people (unless you take the exam of course).
This way exam content isn't solely one single person's responsibility, which has its own drawbacks, yet it isn't open to the public such that anyone could aggregate all the exam content and come up with a pretty good cram guide or crib sheet...BUT the rest of the project is still completely public and transparent. The actual OWASP board might act as an oversight committee in case there's any complaint about exam content and how it is chosen, since that part's not completely open. (This isn't necessarily the same as the exam taker's challenge process.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-cert