[Owasp-cert] Certification Demographics

Chris W. Rea chris.w.rea at gmail.com
Mon Sep 1 10:11:28 EDT 2008

On Sun, Aug 31, 2008 at 5:30 PM,  <james at architectbook.com> wrote:
> You may have noted that much of our certification effort requires someone to
> have been a software developer at one time or another which begs the
> question of whether we are doing ourselves a disservice?
> Within large enterprises, there are folks who are web application security
> professionals who do nothing but leverage tools such as AppScan, WebInspect,
> Cenzic, etc. Are we unfairly excluding them from our certification efforts?

Hi James.  This particular question piqued my interest and I have an
opinion to offer:  I don't think the exclusion is unfair at all.

Please allow me to explain.  Much of this is obvious, but I'll restate
to support my point.

Reading and understanding code is essential in order to do a thorough
job of auditing application code for security vulnerabilities.  While
app scanning tools are getting better all the time, I don't think they
will *ever* completely replace an intelligent human code reviewer
capable of understanding code and forming the necessary mental models
to understand intent and design.  App scanning tools are a great
*starting point* for a code review, revealing much low-hanging fruit,
but I have yet to meet a tool that can form a mental model and
consider intent and design!  ;-)

So, I would suggest that requiring some knowledge of code READING (and
by extension, perhaps, actual development) is not unfair -- in fact,
doing so clearly SETS THE BAR for the professionals who don't yet have
such experience to go out and acquire some in order to be able to get

I've seen too much code that scanned 'clean' or with 'no critical
vulnerabilities' but still had major vulnerabilities of a semantic
nature.  I've encountered many managers that considered a clean app
scan to be sufficient, challenging my suggestion that a human being
ought to review the code as well.  Let's not provide the industry with
certified professionals who will tell such managers that it is
perfectly O.K. not to perform a real live review (since they can't do
one) or that the code is certifiably secure because all the coolest
tools said so.

The certification shouldn't attempt to rubber stamp large classes of
individuals who already have *some* experience in performing a
specific role.  Rather, the certification should encourage those
without well-rounded-enough experience to expand their horizons.  If
that means that some individuals who have found themselves in a large
organization doing nothing but running app scanning tools find
themselves challenged to work outside the box they've been put in,
then so be it.

Thank you.


Chris W. Rea
chris.w.rea at gmail.com

More information about the Owasp-cert mailing list