[Owasp-leaders] Thinking out Loud: Evaluating Talent

Stephen Craig Evans stephencraig.evans at gmail.com
Sat Nov 7 11:12:19 EST 2009

>From my experience, I can contribute to OWASP in spurts and short
stints. Except for some titans that continuously toil tirelessly for
OWASP, I think that many other contributors are the same as me.

Taking care of certification in any form requires a continuous effort
which does not lend itself to bursts of work. I would think that to be
successful, there would have to be a commercial wing of OWASP with
paid workers which is not a bad thing at all, it's just that we
already have so many open and unfinished endeavors as it is.

Just my $0.02 worth,

On Sat, Nov 7, 2009 at 8:12 PM, Seba <seba at owasp.org> wrote:
> Hi,
> We have been talking about this for some months now within the Education
> Committee.
> ISC2 even approached us with a very concrete proposal to set up a
> certification (besides CSSLP), but we do not want to set up one 'exclusive'
> certification scheme.
> Therefore we came up with the idea to have an OWASP 'certification
> framework' where we define the criteria and potential 'body if knowledge'
> for 3rd party organisations to certify developers and other actors in the
> This certification framework is one point we want to discuss with you during
> the upcoming GEC workshop at the DC Summit
> http://www.owasp.org/index.php/Summit_2009
> regards
> Seba
> On Sat, Nov 7, 2009 at 12:59 PM, John Wilander <john.wilander at owasp.org>
> wrote:
>> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
>> I definitely think this market is starting to be mature enough and big
>> enough to call for a serious certification. And I think OWASP is the right
>> body to it. There are already chapters all around the world to help promote
>> this, and I think we should push for such certification, and urge customers
>> to require all testers who work for them to have this certification.
>> The problem exists and gives a lot of pain to customers who hire
>> consultants. I've had customers who wanted our help in assessing developers'
>> appsec skills along with other project requirements such as documented
>> threat modeling, the use of a code escrow, and more.
>> There have been discussions previously on this list. It seems the OWASP
>> leaders are divided into people who say "Why don't we take on the
>> responsibility to define what a pentester and an appsec aware developer
>> should know?" and people who say "OWASP is open and welcoming for newbies as
>> well as the planet's finest. We should not become judges over competence."
>> Apart from that there have been a number of practical issues.
>> * Should we cooperate with an established assessment provider such as
>> Prometric?
>> * Should OWASP provide taylormade training for the certification?
>> * Can we require chapter leaders to manage this on a
>> local/regional/national level without paying them?
>> * Should we cooperate or even try to merge with existing certifications
>> such as GSSP or CSSLP?
>> Personally, I like the idea of an independent OWASP certifications
>> (perhaps two - one for developers and one for testers). But I'm not sure how
>> we should deal with the practical issues.
>>    Regards, John (Sweden)
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list