[Owasp-leaders] Thinking out Loud: Evaluating Talent

John Wilander john.wilander at owasp.org
Sat Nov 7 06:59:14 EST 2009


2009/11/7 Ofer Maor <ofer.maor at owasp.org>
I definitely think this market is starting to be mature enough and big
enough to call for a *serious* certification. And I think OWASP is the right
body to it. There are already chapters all around the world to help promote
this, and I think we should push for such certification, and urge customers
to require all testers who work for them to have this certification.

The problem exists and gives a lot of pain to customers who hire
consultants. I've had customers who wanted our help in assessing developers'
appsec skills along with other project requirements such as documented
threat modeling, the use of a code escrow, and more.

There have been discussions previously on this list. It seems the OWASP
leaders are divided into people who say "Why don't we take on the
responsibility to define what a pentester and an appsec aware developer
should know?" and people who say "OWASP is open and welcoming for newbies as
well as the planet's finest. We should not become judges over competence."

Apart from that there have been a number of practical issues.
* Should we cooperate with an established assessment provider such as
Prometric?
* Should OWASP provide taylormade training for the certification?
* Can we require chapter leaders to manage this on a local/regional/national
level without paying them?
* Should we cooperate or even try to merge with existing certifications such
as GSSP or CSSLP?

Personally, I like the idea of an independent OWASP certifications (perhaps
two - one for developers and one for testers). But I'm not sure how we
should deal with the practical issues.

   Regards, John (Sweden)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091107/141df84a/attachment.html 


More information about the OWASP-Leaders mailing list