[Owasp-leaders] Thinking out Loud: Evaluating Talent

McGovern, James F. (eBusiness) James.McGovern at thehartford.com
Thu Nov 5 12:10:17 EST 2009

Isn't one characteristic of visibility, the competency of people? Many
of us are agilists and believe in people, then process, then tools - in
that order and OWASP has done a wonderful job of helping evaluate
process and tools, without some way of validating people. PCI section 6
as an audit step asks the auditor to validate ongoing training but there
is no definiton of good vs bad against our own model. Is being able to
sing the OWASP Top Ten good enough or could we define some additional

If I wanted to buy a WAF, we got great criteria, but if I wanted to
purchase some consultancy time, what are the questions I would even ask?
Could we have a RFP that helps separate out the men from the boys? After
all, we understand that there are some firms that have employees who are
CMMI Level 742 certified, observe best practices, have a CISSP, a
mouthful of cliche phrases and are really good at Powerpoint.

How can we help organizations make informed decisions and understand the
distinction between hiring Rohit Sethi, Gunnar Peterson, Arshan, Jeff,
etc vs the guy who googled OWASP ten minutes before the interview...
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091105/72e54ec7/attachment.html 

More information about the OWASP-Leaders mailing list