[Owasp-leaders] Thinking out Loud: Evaluating Talent

Ofer Maor ofer.maor at owasp.org
Sat Nov 7 05:10:41 EST 2009

This is indeed a huge problem. 


We see this in our company from the other perspective (as the vendor) - We
take highly experienced staff and invest months of training in our people
before letting them do projects, and then we need to compete on deals with
companies that put fresh out of college juniors with couple of weeks
training at lower rates. In most cases, the customer has no real ability to
tell one from the other until it's too late.


With that said, we do see some of the bigger organizations (which possess
some in-house appsec specialists) starting to become more selective. In a
few recent RFPs we have seen customers demanding that potential consultants
go through series of professional evaluations as part of the scoring for the
proposals. Some of these included written tests, thorough interviews, etc.
We have even been asked by one of our customers to help them write a
vulnerable environment they can use to "test" potential vendors (and tools).
While I believe this has helped these organizations, it still doesn't solve
the problem for the majority of the organizations who do not possess such
in-house abilities. 


I definitely think this market is starting to be mature enough and big
enough to call for a serious certification. And I think OWASP is the right
body to it. There are already chapters all around the world to help promote
this, and I think we should push for such certification, and urge customers
to require all testers who work for them to have this certification. 



(Israel Chapter)


P.S. If you're interested, I have a lecture I prepared just about this issue
last year in OWASP Israel.

It's available in




From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James
F. (eBusiness)
Sent: Thursday, November 05, 2009 7:10 PM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] Thinking out Loud: Evaluating Talent


Isn't one characteristic of visibility, the competency of people? Many of us
are agilists and believe in people, then process, then tools - in that order
and OWASP has done a wonderful job of helping evaluate process and tools,
without some way of validating people. PCI section 6 as an audit step asks
the auditor to validate ongoing training but there is no definiton of good
vs bad against our own model. Is being able to sing the OWASP Top Ten good
enough or could we define some additional measures?

If I wanted to buy a WAF, we got great criteria, but if I wanted to purchase
some consultancy time, what are the questions I would even ask? Could we
have a RFP that helps separate out the men from the boys? After all, we
understand that there are some firms that have employees who are CMMI Level
742 certified, observe best practices, have a CISSP, a mouthful of cliche
phrases and are really good at Powerpoint.

How can we help organizations make informed decisions and understand the
distinction between hiring Rohit Sethi, Gunnar Peterson, Arshan, Jeff, etc
vs the guy who googled OWASP ten minutes before the interview...

This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091107/d44344c2/attachment.html 

More information about the OWASP-Leaders mailing list