[Owasp-leaders] Thinking out Loud: Evaluating Talent

Seba seba at owasp.org
Sat Nov 7 07:12:08 EST 2009


We have been talking about this for some months now within the Education
ISC2 even approached us with a very concrete proposal to set up a
certification (besides CSSLP), but we do not want to set up one 'exclusive'
certification scheme.

Therefore we came up with the idea to have an OWASP 'certification
framework' where we define the criteria and potential 'body if knowledge'
for 3rd party organisations to certify developers and other actors in the

This certification framework is one point we want to discuss with you during
the upcoming GEC workshop at the DC Summit



On Sat, Nov 7, 2009 at 12:59 PM, John Wilander <john.wilander at owasp.org>wrote:

> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
> I definitely think this market is starting to be mature enough and big
> enough to call for a *serious* certification. And I think OWASP is the
> right body to it. There are already chapters all around the world to help
> promote this, and I think we should push for such certification, and urge
> customers to require all testers who work for them to have this
> certification.
> The problem exists and gives a lot of pain to customers who hire
> consultants. I've had customers who wanted our help in assessing developers'
> appsec skills along with other project requirements such as documented
> threat modeling, the use of a code escrow, and more.
> There have been discussions previously on this list. It seems the OWASP
> leaders are divided into people who say "Why don't we take on the
> responsibility to define what a pentester and an appsec aware developer
> should know?" and people who say "OWASP is open and welcoming for newbies as
> well as the planet's finest. We should not become judges over competence."
> Apart from that there have been a number of practical issues.
> * Should we cooperate with an established assessment provider such as
> Prometric?
> * Should OWASP provide taylormade training for the certification?
> * Can we require chapter leaders to manage this on a
> local/regional/national level without paying them?
> * Should we cooperate or even try to merge with existing certifications
> such as GSSP or CSSLP?
> Personally, I like the idea of an independent OWASP certifications (perhaps
> two - one for developers and one for testers). But I'm not sure how we
> should deal with the practical issues.
>    Regards, John (Sweden)
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091107/4593fd51/attachment-0001.html 

More information about the OWASP-Leaders mailing list