[Owasp-cert] Continuing Education?

Matthew Chalmers matthew.chalmers at owasp.org
Tue Jul 29 14:05:48 EDT 2008

Well...that all depends. Is this project for developing/establishing an
OWASP cert, or is it for that plus the ongoing delivery and maintenance of
the cert? I don't want us to be so overzealous that we volunteer the next
'generation' to do extra work if we don't also establish a framework or
system in which to do it. Essentially, I don't want to just throw in a 'nice
to have' requirement now that becomes Someone Else's Problem later. (E.g.,
"Here's the OWASP cert we built, have fun implementing and maintaining it."
"Hey what's this thing about approving and tracking CPEs?" "Well that's
required to keep your cert up to date." "Well how are we going to decide how
to approve them, and then how are we going to track the ones we approve?" "I
dunno, we only designed a system to store exam data, not CPEs...")

If we don't let that happen but still go with CPEs (or whatever), this
group has a bit more work to do in analysis (discussion), design, develop,
and test...personally I think it's easier to just mandate retaking the exam,
or some version of the exam, every so often. The exam we will already have
and have a process for. Plus I still don't think CPEs mean a darn thing. I
get them all the time from cheesy lectures and organisational meetings. But
if we have requirements for CPE 'value' we have to define them so the
customers understand them, and we have to verify what the customers submit
meets the requirements, and we have to keep track of the intersection of
those two so that we know who has up-to-date certs. It's certainly not
impossible, maybe not even difficult, but it's extra work, and extra work
means extra time. Not that I'm advocating the bare minimum to get by, it's
just one point.


On Mon, Jul 28, 2008 at 5:11 PM, <james at architectbook.com> wrote:

> I would entertain a special "recertification" exam as an alternative to
> CPEs. I would ask though how hard would tracking be since we aren't focused
> on general security but something that isn't represented elsewhere...
>  -------- Original Message --------
> Subject: Re: [Owasp-cert] Continuing Education?
> From: "Matthew Chalmers" <matthew.chalmers at owasp.org>
> Date: Mon, July 28, 2008 3:10 pm
> To: owasp-cert at lists.owasp.org
>  I don't think CPEs/PDUs prove anything. I know how easy they can be to
> get, plus it puts more burden on OWASP to track them and to make sure they
> actually pertain to webappsec. I prefer the SANS/GIAC method of having to
> retake the exam every few years to prove you still know what you're doing.
> Perhaps a scaled-down "maintenance" exam or just a reduced rate, or a lower
> acceptable minimum score for the same level. Open to ideas.
> Matt
>  On Mon, Jul 28, 2008 at 12:00 PM, <james at architectbook.com> wrote:
>>  The focus of the discussion to date has been about multiple choice
>> approaches. The topic of whether continuing education hasn't came up and I
>> would love for others to chime in as this may be even more important.
>> Every three years, you must renew your PMP, CISSP, etc status by earning
>> 60 professional development units (PDUs) and by reaffirming the code of
>> ethics and professional conduct. PDUs are earned by taking accredited
>> training, providing training, or by reading professional books.
>> Aren't we better served by focusing on this aspect?
>> _______________________________________________
>> Owasp-cert mailing list
>> Owasp-cert at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-cert
> ------------------------------
> _______________________________________________
> Owasp-cert mailing list
> Owasp-cert**@lists.owasp.org<http://email.secureserver.net/pcompose.php#Compose>
> https://lists.owasp.org/mailman/listinfo/owasp-cert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cert/attachments/20080729/2ae62754/attachment.html 

More information about the Owasp-cert mailing list