[Owasp-leaders] Thinking out Loud: Evaluating Talent

daniel cuthbert daniel.cuthbert at owasp.org
Mon Nov 9 09:58:44 EST 2009


As with all things open, there is a degree of secrecy required for sensitive
material.

Common sense has to be taken into consideration at some point, surely?

2009/11/9 Juan Carlos Calderon Rojas <juan.calderon at softtek.com>

>  Ofer
>
> IMO the biggest issue - as we saw in Portugal summit - regarding a
> certification coming from OWASP is "openness". As OWASP is open, all the
> information related to the project including questions AND answers MUST be
> at public sight (AKA OWASP wiki). James attempts on certification were
> frustrated by this issue, If I remember correctly.
>
> How do you make a certification with open questions? maybe you would
> generate an absurdly large number of questions (thousands?) for people to
> not simply copy and paste. The effort for that would be huge and the effort
> to maintain that monster would be even larger.
>
> One idea I mentioned was to "delay" the access to the answers, like
> WebGoat, you have to go though all the hits to get the answer or you have to
> see all the videos. But that eventually is not really a big deterrent,
> someone with some time to spend will simply collect the answers and put them
> in the same place and that's it.
>
> Any idea on how to walk around this "openness" issue Ofer?
>
> Regards,
>  *Juan Carlos Calderon, *
> ------------------------------
> *De:* Ofer Maor
> *Enviado el:* Lun 09/11/2009 2:23
> *Para:* owasp-leaders at lists.owasp.org
> *Asunto:* Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent
>
>  This is exactly why I think we should seriously consider doing it as part
> of OWASP, and not throw it on a commercial group that would just look to how
> they can profit from it rather than keeping it credible. When it becomes
> commercial, all the certifier is interested in, past the point they reach a
> certain branding, is to sell as much as they can.  However, we *can*probably team up with some vendors that could do the work (and make some
> profit out if it), as long as the quality is regulated by OWASP.
>
>
>
> In any case, I’m looking forward to hear what are the outcomes of the DC
> Summit. Unfortunately I won’t be able to attend, but I’ll keep track J
>
>
>
> Ofer.
>
>
>
>
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *daniel cuthbert
> *Sent:* Monday, November 09, 2009 9:33 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent
>
>
>
> The CISSP comes to mind, it's not exactly the most respected cert available
> in this industry of ours, alongside the CEH.
>
> It can be done, however, a careful balance between what the candidate knows
> and needs to know has to be struck. There is no point having a certification
> that isn't respected by all for being too much of a mickey mouse fan club
> badge,
>
> Partnering with an organisation to take care of the logistical nightmare of
> the certification process is a must. The actual developing of training
> content and exam questions isn't that hard, it's something i've been doing
> for the past 5 years and have a fair whack of experience with.
>
>  2009/11/9 Eoin <eoin.keary at owasp.org>
>
> Agreed, certification is an expensive investment to set up which would
> require a full-time resource. Best to partner with a third party on this but
> which one? Exclusivity deals do not give me a comfortable feeling.
>
> Making a "migs picky" of this would not do OWASP any favors, it's a one
> shot deal.
>
>
>
> It can easily go to two extremes (I've seen both);
>
> Either the certification is a joke, too easy, not realistic and a weak
> barometer of what we are trying to do OR it can be too hard, pass rate is
> very low, appropriate support for examinations is low and therefore uptake
> shall be minimal also.
>
>
>
> -ek
>
> (see u in DC?)
>
>
>
>
>
>
>
> 2009/11/7 Stephen Craig Evans <stephencraig.evans at gmail.com>
>
>
>
> >From my experience, I can contribute to OWASP in spurts and short
> stints. Except for some titans that continuously toil tirelessly for
> OWASP, I think that many other contributors are the same as me.
>
> Taking care of certification in any form requires a continuous effort
> which does not lend itself to bursts of work. I would think that to be
> successful, there would have to be a commercial wing of OWASP with
> paid workers which is not a bad thing at all, it's just that we
> already have so many open and unfinished endeavors as it is.
>
> Just my $0.02 worth,
> Stephen
>
>
>
> On Sat, Nov 7, 2009 at 8:12 PM, Seba <seba at owasp.org> wrote:
> > Hi,
> > We have been talking about this for some months now within the Education
> > Committee.
> > ISC2 even approached us with a very concrete proposal to set up a
> > certification (besides CSSLP), but we do not want to set up one
> 'exclusive'
> > certification scheme.
> > Therefore we came up with the idea to have an OWASP 'certification
> > framework' where we define the criteria and potential 'body if knowledge'
> > for 3rd party organisations to certify developers and other actors in the
> > SDLC.
> > This certification framework is one point we want to discuss with you
> during
> > the upcoming GEC workshop at the DC Summit
> > http://www.owasp.org/index.php/Summit_2009
> > regards
> > Seba
> >
> > On Sat, Nov 7, 2009 at 12:59 PM, John Wilander <john.wilander at owasp.org>
> > wrote:
> >>
> >> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
> >> I definitely think this market is starting to be mature enough and big
> >> enough to call for a serious certification. And I think OWASP is the
> right
> >> body to it. There are already chapters all around the world to help
> promote
> >> this, and I think we should push for such certification, and urge
> customers
> >> to require all testers who work for them to have this certification.
> >> The problem exists and gives a lot of pain to customers who hire
> >> consultants. I've had customers who wanted our help in assessing
> developers'
> >> appsec skills along with other project requirements such as documented
> >> threat modeling, the use of a code escrow, and more.
> >> There have been discussions previously on this list. It seems the OWASP
> >> leaders are divided into people who say "Why don't we take on the
> >> responsibility to define what a pentester and an appsec aware developer
> >> should know?" and people who say "OWASP is open and welcoming for
> newbies as
> >> well as the planet's finest. We should not become judges over
> competence."
> >> Apart from that there have been a number of practical issues.
> >> * Should we cooperate with an established assessment provider such as
> >> Prometric?
> >> * Should OWASP provide taylormade training for the certification?
> >> * Can we require chapter leaders to manage this on a
> >> local/regional/national level without paying them?
> >> * Should we cooperate or even try to merge with existing certifications
> >> such as GSSP or CSSLP?
> >> Personally, I like the idea of an independent OWASP certifications
> >> (perhaps two - one for developers and one for testers). But I'm not sure
> how
> >> we should deal with the practical issues.
> >>    Regards, John (Sweden)
> >> _______________________________________________
> >> OWASP-Leaders mailing list
> >> OWASP-Leaders at lists.owasp.org
> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
>
>
> --
> http://www.linkedin.com/in/stephencraigevans
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
> Eoin Keary
>
> OWASP Code Review Guide Lead Author
> OWASP Ireland Chapter Lead
> OWASP Global Committee Member (Industry)
>
> http://asg.ie/
> https://twitter.com/EoinKeary
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091109/7233183d/attachment-0001.html 


More information about the OWASP-Leaders mailing list