[Owasp-leaders] Thinking out Loud: Evaluating Talent

daniel cuthbert daniel.cuthbert at owasp.org
Mon Nov 9 02:33:13 EST 2009


The CISSP comes to mind, it's not exactly the most respected cert available
in this industry of ours, alongside the CEH.

It can be done, however, a careful balance between what the candidate knows
and needs to know has to be struck. There is no point having a certification
that isn't respected by all for being too much of a mickey mouse fan club
badge,

Partnering with an organisation to take care of the logistical nightmare of
the certification process is a must. The actual developing of training
content and exam questions isn't that hard, it's something i've been doing
for the past 5 years and have a fair whack of experience with.


2009/11/9 Eoin <eoin.keary at owasp.org>

> Agreed, certification is an expensive investment to set up which would
> require a full-time resource. Best to partner with a third party on this but
> which one? Exclusivity deals do not give me a comfortable feeling.
> Making a "migs picky" of this would not do OWASP any favors, it's a one
> shot deal.
>
> It can easily go to two extremes (I've seen both);
> Either the certification is a joke, too easy, not realistic and a weak
> barometer of what we are trying to do OR it can be too hard, pass rate is
> very low, appropriate support for examinations is low and therefore uptake
> shall be minimal also.
>
> -ek
> (see u in DC?)
>
>
>
> 2009/11/7 Stephen Craig Evans <stephencraig.evans at gmail.com>
>
> >From my experience, I can contribute to OWASP in spurts and short
>> stints. Except for some titans that continuously toil tirelessly for
>> OWASP, I think that many other contributors are the same as me.
>>
>> Taking care of certification in any form requires a continuous effort
>> which does not lend itself to bursts of work. I would think that to be
>> successful, there would have to be a commercial wing of OWASP with
>> paid workers which is not a bad thing at all, it's just that we
>> already have so many open and unfinished endeavors as it is.
>>
>> Just my $0.02 worth,
>> Stephen
>>
>>
>> On Sat, Nov 7, 2009 at 8:12 PM, Seba <seba at owasp.org> wrote:
>> > Hi,
>> > We have been talking about this for some months now within the Education
>> > Committee.
>> > ISC2 even approached us with a very concrete proposal to set up a
>> > certification (besides CSSLP), but we do not want to set up one
>> 'exclusive'
>> > certification scheme.
>> > Therefore we came up with the idea to have an OWASP 'certification
>> > framework' where we define the criteria and potential 'body if
>> knowledge'
>> > for 3rd party organisations to certify developers and other actors in
>> the
>> > SDLC.
>> > This certification framework is one point we want to discuss with you
>> during
>> > the upcoming GEC workshop at the DC Summit
>> > http://www.owasp.org/index.php/Summit_2009
>> > regards
>> > Seba
>> >
>> > On Sat, Nov 7, 2009 at 12:59 PM, John Wilander <john.wilander at owasp.org
>> >
>> > wrote:
>> >>
>> >> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
>> >> I definitely think this market is starting to be mature enough and big
>> >> enough to call for a serious certification. And I think OWASP is the
>> right
>> >> body to it. There are already chapters all around the world to help
>> promote
>> >> this, and I think we should push for such certification, and urge
>> customers
>> >> to require all testers who work for them to have this certification.
>> >> The problem exists and gives a lot of pain to customers who hire
>> >> consultants. I've had customers who wanted our help in assessing
>> developers'
>> >> appsec skills along with other project requirements such as documented
>> >> threat modeling, the use of a code escrow, and more.
>> >> There have been discussions previously on this list. It seems the OWASP
>> >> leaders are divided into people who say "Why don't we take on the
>> >> responsibility to define what a pentester and an appsec aware developer
>> >> should know?" and people who say "OWASP is open and welcoming for
>> newbies as
>> >> well as the planet's finest. We should not become judges over
>> competence."
>> >> Apart from that there have been a number of practical issues.
>> >> * Should we cooperate with an established assessment provider such as
>> >> Prometric?
>> >> * Should OWASP provide taylormade training for the certification?
>> >> * Can we require chapter leaders to manage this on a
>> >> local/regional/national level without paying them?
>> >> * Should we cooperate or even try to merge with existing certifications
>> >> such as GSSP or CSSLP?
>> >> Personally, I like the idea of an independent OWASP certifications
>> >> (perhaps two - one for developers and one for testers). But I'm not
>> sure how
>> >> we should deal with the practical issues.
>> >>    Regards, John (Sweden)
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>>
>>
>>
>> --
>> http://www.linkedin.com/in/stephencraigevans
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> Eoin Keary
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091109/92bed436/attachment-0001.html 


More information about the OWASP-Leaders mailing list