[Owasp-cert] Certification Demographics

Gary Palmer owasp at getmymail.org
Mon Sep 1 17:00:02 EDT 2008

I want to second Chris's comments.  Tools assist, they do not replace.  The
best hammer in the world is useless without a hand holding it.  There are
nuances in coding that elude tools.  I used to work for the vendor of a
C/C++ source analyzer.  It parsed the code and identified many issues that
could be fixed.  It worked great and helped provide as-built documentation
and assurances that there was a level of security and "bug free-ness" in the
code.  When working with an experienced programmer, the tool was more useful
and insightful because it showed application architecture and organization.
Novice users ignored the architecture and organization parts and went to
fixing semantic ambiguities.  Experienced programmers started with program
architecture because they realized changes to architecture would alter the
semantics anyway.

We have discussed level of certification.  I would not support a requirement
that the "entry level certification" require programming experience, but I
would submit that the highest certification level have programming as a
requirement.  That said, we have a conundrum; how to check or test.

I have a strong coding background (I am so warped I do it for fun! ;-).  I
would be willing to work this area.  I think the coding part of the test
should have code samples and ask about the results.  NOT a syntax analysis,
but a semantic understanding.  We cannot rely on knowledge of any specific
language so we would need to create a simple language, define it for the
test and then provide code and ask questions.  Things like buffer overflows,
undefined pointers, and side effects all come to mind quickly as vectors of

For the novice, tools help, but keep them off the test or we will be always
updating for the latest and people will have religious wars over which tools
should be included since it would form an implicit endorsement!  From a
vendor connection, the vendors might receive a list of criteria and provide
a white paper or something so certified users can select a tool and
immediately know if it meets OWASP minimum capabilities.


-----Original Message-----
From: owasp-cert-bounces at lists.owasp.org
[mailto:owasp-cert-bounces at lists.owasp.org] On Behalf Of Chris W. Rea
Sent: Monday, September 01, 2008 7:11 AM
To: james at architectbook.com
Cc: owasp-cert at lists.owasp.org
Subject: Re: [Owasp-cert] Certification Demographics

On Sun, Aug 31, 2008 at 5:30 PM,  <james at architectbook.com> wrote:
> You may have noted that much of our certification effort requires 
> someone to have been a software developer at one time or another which 
> begs the question of whether we are doing ourselves a disservice?
> Within large enterprises, there are folks who are web application 
> security professionals who do nothing but leverage tools such as 
> AppScan, WebInspect, Cenzic, etc. Are we unfairly excluding them from our
certification efforts?

Hi James.  This particular question piqued my interest and I have an opinion
to offer:  I don't think the exclusion is unfair at all.

Please allow me to explain.  Much of this is obvious, but I'll restate to
support my point.

Reading and understanding code is essential in order to do a thorough job of
auditing application code for security vulnerabilities.  While app scanning
tools are getting better all the time, I don't think they will *ever*
completely replace an intelligent human code reviewer capable of
understanding code and forming the necessary mental models to understand
intent and design.  App scanning tools are a great *starting point* for a
code review, revealing much low-hanging fruit, but I have yet to meet a tool
that can form a mental model and consider intent and design!  ;-)

So, I would suggest that requiring some knowledge of code READING (and by
extension, perhaps, actual development) is not unfair -- in fact, doing so
clearly SETS THE BAR for the professionals who don't yet have such
experience to go out and acquire some in order to be able to get certified.


More information about the Owasp-cert mailing list