[Owasp-leaders] Thinking out Loud: Evaluating Talent

McGovern, James F. (eBusiness) James.McGovern at thehartford.com
Mon Nov 9 09:58:37 EST 2009

I don't think we will ever make it over the hill when it comes to making
certification open. My enterprisey take says that we in the past taken
things that were somewhat restricted in usage (WebScarab comes to mind)
where multiple license schemes were possible. MySQL is considered by
some to be open source and comes under a dual licensing model whereby
the latest version remains closed, yet folks here haven't challenged
that you can't call it open source since "a" version is available.
This means that there are ways to make public and maintain integrity.
Anyway, I think there is another question which says that we need to
help with RFPs as well. How does one at RFP time compare AspectSecurity,
Cigital, etc to Accenture, Wipro, etc


From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Juan Carlos
Calderon Rojas
Sent: Monday, November 09, 2009 9:54 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent

IMO the biggest issue - as we saw in Portugal summit - regarding a
certification coming from OWASP is "openness". As OWASP is open, all the
information related to the project including questions AND answers MUST
be at public sight (AKA OWASP wiki). James attempts on certification
were frustrated by this issue, If I remember correctly.
How do you make a certification with open questions? maybe you would
generate an absurdly large number of questions (thousands?) for people
to not simply copy and paste. The effort for that would be huge and the
effort to maintain that monster would be even larger.
One idea I mentioned was to "delay" the access to the answers, like
WebGoat, you have to go though all the hits to get the answer or you
have to see all the videos. But that eventually is not really a big
deterrent, someone with some time to spend will simply collect the
answers and put them in the same place and that's it.
Any idea on how to walk around this "openness" issue Ofer?
Juan Carlos Calderon, 


De: Ofer Maor
Enviado el: Lun 09/11/2009 2:23
Para: owasp-leaders at lists.owasp.org
Asunto: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent

This is exactly why I think we should seriously consider doing it as
part of OWASP, and not throw it on a commercial group that would just
look to how they can profit from it rather than keeping it credible.
When it becomes commercial, all the certifier is interested in, past the
point they reach a certain branding, is to sell as much as they can.
However, we can probably team up with some vendors that could do the
work (and make some profit out if it), as long as the quality is
regulated by OWASP. 


In any case, I'm looking forward to hear what are the outcomes of the DC
Summit. Unfortunately I won't be able to attend, but I'll keep track J






From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel
Sent: Monday, November 09, 2009 9:33 AM
To: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent


The CISSP comes to mind, it's not exactly the most respected cert
available in this industry of ours, alongside the CEH.

It can be done, however, a careful balance between what the candidate
knows and needs to know has to be struck. There is no point having a
certification that isn't respected by all for being too much of a mickey
mouse fan club badge, 

Partnering with an organisation to take care of the logistical nightmare
of the certification process is a must. The actual developing of
training content and exam questions isn't that hard, it's something i've
been doing for the past 5 years and have a fair whack of experience

2009/11/9 Eoin <eoin.keary at owasp.org>

Agreed, certification is an expensive investment to set up which would
require a full-time resource. Best to partner with a third party on this
but which one? Exclusivity deals do not give me a comfortable feeling.

Making a "migs picky" of this would not do OWASP any favors, it's a one
shot deal. 


It can easily go to two extremes (I've seen both); 

Either the certification is a joke, too easy, not realistic and a weak
barometer of what we are trying to do OR it can be too hard, pass rate
is very low, appropriate support for examinations is low and therefore
uptake shall be minimal also.



(see u in DC?)




2009/11/7 Stephen Craig Evans <stephencraig.evans at gmail.com>


	>From my experience, I can contribute to OWASP in spurts and
	stints. Except for some titans that continuously toil tirelessly
	OWASP, I think that many other contributors are the same as me.
	Taking care of certification in any form requires a continuous
	which does not lend itself to bursts of work. I would think that
to be
	successful, there would have to be a commercial wing of OWASP
	paid workers which is not a bad thing at all, it's just that we
	already have so many open and unfinished endeavors as it is.
	Just my $0.02 worth,

	On Sat, Nov 7, 2009 at 8:12 PM, Seba <seba at owasp.org> wrote:
	> Hi,
	> We have been talking about this for some months now within the
	> Committee.
	> ISC2 even approached us with a very concrete proposal to set
up a
	> certification (besides CSSLP), but we do not want to set up
one 'exclusive'
	> certification scheme.
	> Therefore we came up with the idea to have an OWASP
	> framework' where we define the criteria and potential 'body if
	> for 3rd party organisations to certify developers and other
actors in the
	> SDLC.
	> This certification framework is one point we want to discuss
with you during
	> the upcoming GEC workshop at the DC Summit
	> http://www.owasp.org/index.php/Summit_2009
	> regards
	> Seba
	> On Sat, Nov 7, 2009 at 12:59 PM, John Wilander
<john.wilander at owasp.org>
	> wrote:
	>> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
	>> I definitely think this market is starting to be mature
enough and big
	>> enough to call for a serious certification. And I think OWASP
is the right
	>> body to it. There are already chapters all around the world
to help promote
	>> this, and I think we should push for such certification, and
urge customers
	>> to require all testers who work for them to have this
	>> The problem exists and gives a lot of pain to customers who
	>> consultants. I've had customers who wanted our help in
assessing developers'
	>> appsec skills along with other project requirements such as
	>> threat modeling, the use of a code escrow, and more.
	>> There have been discussions previously on this list. It seems
	>> leaders are divided into people who say "Why don't we take on
	>> responsibility to define what a pentester and an appsec aware
	>> should know?" and people who say "OWASP is open and welcoming
for newbies as
	>> well as the planet's finest. We should not become judges over
	>> Apart from that there have been a number of practical issues.
	>> * Should we cooperate with an established assessment provider
such as
	>> Prometric?
	>> * Should OWASP provide taylormade training for the
	>> * Can we require chapter leaders to manage this on a
	>> local/regional/national level without paying them?
	>> * Should we cooperate or even try to merge with existing
	>> such as GSSP or CSSLP?
	>> Personally, I like the idea of an independent OWASP
	>> (perhaps two - one for developers and one for testers). But
I'm not sure how
	>> we should deal with the practical issues.
	>>    Regards, John (Sweden)
	>> _______________________________________________
	>> OWASP-Leaders mailing list
	>> OWASP-Leaders at lists.owasp.org
	>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
	> _______________________________________________
	> OWASP-Leaders mailing list
	> OWASP-Leaders at lists.owasp.org
	> https://lists.owasp.org/mailman/listinfo/owasp-leaders


	OWASP-Leaders mailing list
	OWASP-Leaders at lists.owasp.org

Eoin Keary

OWASP Code Review Guide Lead Author
OWASP Ireland Chapter Lead
OWASP Global Committee Member (Industry)


OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org


This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20091109/7d86cfac/attachment-0001.html 

More information about the OWASP-Leaders mailing list