[Owasp-leaders] Thinking out Loud: Evaluating Talent

McGovern, James F. (eBusiness) James.McGovern at thehartford.com
Mon Nov 9 09:16:36 EST 2009

I have moved away from the thought of certification and things about
individuals and figured there would be some lift in addressing the
things about firms via copy-and-paste RFP type questions, things that
could be incorporated into a SAS70, etc...


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel
Sent: Monday, November 09, 2009 2:33 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent

The CISSP comes to mind, it's not exactly the most respected cert
available in this industry of ours, alongside the CEH.

It can be done, however, a careful balance between what the candidate
knows and needs to know has to be struck. There is no point having a
certification that isn't respected by all for being too much of a mickey
mouse fan club badge, 

Partnering with an organisation to take care of the logistical nightmare
of the certification process is a must. The actual developing of
training content and exam questions isn't that hard, it's something i've
been doing for the past 5 years and have a fair whack of experience

2009/11/9 Eoin <eoin.keary at owasp.org>

	Agreed, certification is an expensive investment to set up which
would require a full-time resource. Best to partner with a third party
on this but which one? Exclusivity deals do not give me a comfortable
	Making a "migs picky" of this would not do OWASP any favors,
it's a one shot deal. 

	It can easily go to two extremes (I've seen both); 
	Either the certification is a joke, too easy, not realistic and
a weak barometer of what we are trying to do OR it can be too hard, pass
rate is very low, appropriate support for examinations is low and
therefore uptake shall be minimal also.

	(see u in DC?)

	2009/11/7 Stephen Craig Evans <stephencraig.evans at gmail.com> 

		>From my experience, I can contribute to OWASP in spurts
and short
		stints. Except for some titans that continuously toil
tirelessly for
		OWASP, I think that many other contributors are the same
as me.
		Taking care of certification in any form requires a
continuous effort
		which does not lend itself to bursts of work. I would
think that to be
		successful, there would have to be a commercial wing of
OWASP with
		paid workers which is not a bad thing at all, it's just
that we
		already have so many open and unfinished endeavors as it
		Just my $0.02 worth,

		On Sat, Nov 7, 2009 at 8:12 PM, Seba <seba at owasp.org>
		> Hi,
		> We have been talking about this for some months now
within the Education
		> Committee.
		> ISC2 even approached us with a very concrete proposal
to set up a
		> certification (besides CSSLP), but we do not want to
set up one 'exclusive'
		> certification scheme.
		> Therefore we came up with the idea to have an OWASP
		> framework' where we define the criteria and potential
'body if knowledge'
		> for 3rd party organisations to certify developers and
other actors in the
		> SDLC.
		> This certification framework is one point we want to
discuss with you during
		> the upcoming GEC workshop at the DC Summit
		> http://www.owasp.org/index.php/Summit_2009
		> regards
		> Seba
		> On Sat, Nov 7, 2009 at 12:59 PM, John Wilander
<john.wilander at owasp.org>
		> wrote:
		>> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
		>> I definitely think this market is starting to be
mature enough and big
		>> enough to call for a serious certification. And I
think OWASP is the right
		>> body to it. There are already chapters all around the
world to help promote
		>> this, and I think we should push for such
certification, and urge customers
		>> to require all testers who work for them to have this
		>> The problem exists and gives a lot of pain to
customers who hire
		>> consultants. I've had customers who wanted our help
in assessing developers'
		>> appsec skills along with other project requirements
such as documented
		>> threat modeling, the use of a code escrow, and more.
		>> There have been discussions previously on this list.
It seems the OWASP
		>> leaders are divided into people who say "Why don't we
take on the
		>> responsibility to define what a pentester and an
appsec aware developer
		>> should know?" and people who say "OWASP is open and
welcoming for newbies as
		>> well as the planet's finest. We should not become
judges over competence."
		>> Apart from that there have been a number of practical
		>> * Should we cooperate with an established assessment
provider such as
		>> Prometric?
		>> * Should OWASP provide taylormade training for the
		>> * Can we require chapter leaders to manage this on a
		>> local/regional/national level without paying them?
		>> * Should we cooperate or even try to merge with
existing certifications
		>> such as GSSP or CSSLP?
		>> Personally, I like the idea of an independent OWASP
		>> (perhaps two - one for developers and one for
testers). But I'm not sure how
		>> we should deal with the practical issues.
		>>    Regards, John (Sweden)
		>> _______________________________________________
		>> OWASP-Leaders mailing list
		>> OWASP-Leaders at lists.owasp.org
		> _______________________________________________
		> OWASP-Leaders mailing list
		> OWASP-Leaders at lists.owasp.org
		> https://lists.owasp.org/mailman/listinfo/owasp-leaders
		OWASP-Leaders mailing list
		OWASP-Leaders at lists.owasp.org

	Eoin Keary
	OWASP Code Review Guide Lead Author
	OWASP Ireland Chapter Lead
	OWASP Global Committee Member (Industry)

	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org

This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091109/108e4b26/attachment-0001.html 

More information about the OWASP-Leaders mailing list