[Owasp-cert] Version Control

Matthew Chalmers matthew.chalmers at owasp.org
Tue Jul 29 13:36:42 EDT 2008

I strongly suggest whatever technology may be used to store privileged exam
content be hosted on OWASP's servers. Not by a third party, not by an
individual, and not even by a generous and good-intentioned OWASP
member/sponsor/volunteer's company. OWASP should be 100% in control of and
responsible for control of this content, since it's likely not going to be
public like most everything else. This is something that needs to be done
right from the start. Not necessarily perfect, but as 'right' as
possible--which may not be the most convenient or expedient way.

Also, I believe we need to start keeping track of project 'Decisions,'
separate from 'Suggestions' or any other documentation that can change at
any time. This way we can keep it all on one wiki page and refer to it.
Also, anyone interested in the project's status can go to one page and see
all the Decisions--these should be things that don't change unless they're
discussed by whoever's determined to be an active project member, in the
spirt of OWASP's consensus process (see

One such Decision I think we need to make is whether any one person will
have access to any and all exam content. There are pros and cons to doing it
this way and not doing it this way. One of the things I see in favor of one
or more people having access to all exam content is that it might make the
exam more consistent overall. One of the things I see in favor of limiting
everyone to having access only to one or a few content areas is that it may
still be possible for these people to obtain the cert themselves. As an
example, say we have 14 subject areas for the basic exam (as it currently
stands according to
If someone is 'elected' as an SME for one area, say cryptography, and that's
the only section of exam content to which that person is privy, then that
person may be able to sit for the exam under one of at least a couple
possible conditions: for example, a special exam is 'generated' which
excludes crypto content; or the person's minimum passing score is raised by
automatically marking all crypto questions incorrect.

Basically what I'm thinking is, every person is able to use any OWASP
product/resource regardless of whether that person helped to create it. But
in this case, if we're keeping exam content secret--because having it will
help your chances on the exam--people who participate heavily in exam
content creation/selection have an advantage so they will not (ethically?)
be able to use this particular OWASP product/resource. Sort of the opposite
view might also be possible, although I would assume less likely/popular:
that anyone who contributes significantly to exam content is someone who
would have passed the exam anyway, so they should be thought to 'have' this
certification without taking the exam. Sort of like how other new
certifications often grandfather people into it by virtue of documented


On Tue, Jul 29, 2008 at 7:17 AM, <james at architectbook.com> wrote:

> Does anyone know of a place where we can version control our questions for
> free that doesn't make the answers publicly available?
> If not, I will load subversion to a host over the weekend. Hoping to avoid
> some work.
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080729/b4674069/attachment.html 

More information about the Owasp-cert mailing list