[Owasp-leaders] Thinking out Loud: Evaluating Talent

Christian Heinrich christian.heinrich at owasp.org
Fri Nov 13 18:19:48 EST 2009


I like the idea of multiple stages as one progresses in their career
i.e. Apprentice -> Journeyer -> Master

On Tue, Nov 10, 2009 at 2:11 AM, Juan Carlos Calderon Rojas
<juan.calderon at softtek.com> wrote:
> I think so and agree with you and James. But dual license was also dropped
> on Portugal, so that is another point to consider.
>
> I guess the time remaining for the next mini summit is too short to create a
> solid and "viable" (from the Open Source and OWASP point of view) proposal
> end up with a good approach to this issue.
>
> The evaluation framework Seba mentions could be a good starting point. What
> if there is a reference of what an auditor and auditor Sr should know,
> eventually the OWASP certification might close the gap of really measuring
> that.
>
> Regards,
> Juan Carlos Calderon
> ________________________________
> De: daniel cuthbert
> Enviado el: Lun 09/11/2009 8:58
> Para: owasp-leaders at lists.owasp.org
> Asunto: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent
>
> As with all things open, there is a degree of secrecy required for sensitive
> material.
>
> Common sense has to be taken into consideration at some point, surely?
>
> 2009/11/9 Juan Carlos Calderon Rojas <juan.calderon at softtek.com>
>>
>> Ofer
>>
>> IMO the biggest issue - as we saw in Portugal summit - regarding a
>> certification coming from OWASP is "openness". As OWASP is open, all the
>> information related to the project including questions AND answers MUST be
>> at public sight (AKA OWASP wiki). James attempts on certification were
>> frustrated by this issue, If I remember correctly.
>>
>> How do you make a certification with open questions? maybe you would
>> generate an absurdly large number of questions (thousands?) for people to
>> not simply copy and paste. The effort for that would be huge and the effort
>> to maintain that monster would be even larger.
>>
>> One idea I mentioned was to "delay" the access to the answers, like
>> WebGoat, you have to go though all the hits to get the answer or you have to
>> see all the videos. But that eventually is not really a big deterrent,
>> someone with some time to spend will simply collect the answers and put them
>> in the same place and that's it.
>>
>> Any idea on how to walk around this "openness" issue Ofer?
>>
>> Regards,
>> Juan Carlos Calderon,
>> ________________________________
>> De: Ofer Maor
>> Enviado el: Lun 09/11/2009 2:23
>> Para: owasp-leaders at lists.owasp.org
>> Asunto: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent
>>
>> This is exactly why I think we should seriously consider doing it as part
>> of OWASP, and not throw it on a commercial group that would just look to how
>> they can profit from it rather than keeping it credible. When it becomes
>> commercial, all the certifier is interested in, past the point they reach a
>> certain branding, is to sell as much as they can.  However, we can probably
>> team up with some vendors that could do the work (and make some profit out
>> if it), as long as the quality is regulated by OWASP.
>>
>>
>>
>> In any case, I’m looking forward to hear what are the outcomes of the DC
>> Summit. Unfortunately I won’t be able to attend, but I’ll keep track J
>>
>>
>>
>> Ofer.
>>
>>
>>
>>
>>
>>
>>
>> From: owasp-leaders-bounces at lists.owasp.org
>> [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of daniel cuthbert
>> Sent: Monday, November 09, 2009 9:33 AM
>> To: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent
>>
>>
>>
>> The CISSP comes to mind, it's not exactly the most respected cert
>> available in this industry of ours, alongside the CEH.
>>
>> It can be done, however, a careful balance between what the candidate
>> knows and needs to know has to be struck. There is no point having a
>> certification that isn't respected by all for being too much of a mickey
>> mouse fan club badge,
>>
>> Partnering with an organisation to take care of the logistical nightmare
>> of the certification process is a must. The actual developing of training
>> content and exam questions isn't that hard, it's something i've been doing
>> for the past 5 years and have a fair whack of experience with.
>>
>> 2009/11/9 Eoin <eoin.keary at owasp.org>
>>
>> Agreed, certification is an expensive investment to set up which would
>> require a full-time resource. Best to partner with a third party on this but
>> which one? Exclusivity deals do not give me a comfortable feeling.
>>
>> Making a "migs picky" of this would not do OWASP any favors, it's a one
>> shot deal.
>>
>>
>>
>> It can easily go to two extremes (I've seen both);
>>
>> Either the certification is a joke, too easy, not realistic and a weak
>> barometer of what we are trying to do OR it can be too hard, pass rate is
>> very low, appropriate support for examinations is low and therefore uptake
>> shall be minimal also.
>>
>>
>>
>> -ek
>>
>> (see u in DC?)
>>
>>
>>
>>
>>
>>
>>
>> 2009/11/7 Stephen Craig Evans <stephencraig.evans at gmail.com>
>>
>>
>>
>> >From my experience, I can contribute to OWASP in spurts and short
>> stints. Except for some titans that continuously toil tirelessly for
>> OWASP, I think that many other contributors are the same as me.
>>
>> Taking care of certification in any form requires a continuous effort
>> which does not lend itself to bursts of work. I would think that to be
>> successful, there would have to be a commercial wing of OWASP with
>> paid workers which is not a bad thing at all, it's just that we
>> already have so many open and unfinished endeavors as it is.
>>
>> Just my $0.02 worth,
>> Stephen
>>
>> On Sat, Nov 7, 2009 at 8:12 PM, Seba <seba at owasp.org> wrote:
>> > Hi,
>> > We have been talking about this for some months now within the Education
>> > Committee.
>> > ISC2 even approached us with a very concrete proposal to set up a
>> > certification (besides CSSLP), but we do not want to set up one
>> > 'exclusive'
>> > certification scheme.
>> > Therefore we came up with the idea to have an OWASP 'certification
>> > framework' where we define the criteria and potential 'body if
>> > knowledge'
>> > for 3rd party organisations to certify developers and other actors in
>> > the
>> > SDLC.
>> > This certification framework is one point we want to discuss with you
>> > during
>> > the upcoming GEC workshop at the DC Summit
>> > http://www.owasp.org/index.php/Summit_2009
>> > regards
>> > Seba
>> >
>> > On Sat, Nov 7, 2009 at 12:59 PM, John Wilander <john.wilander at owasp.org>
>> > wrote:
>> >>
>> >> 2009/11/7 Ofer Maor <ofer.maor at owasp.org>
>> >> I definitely think this market is starting to be mature enough and big
>> >> enough to call for a serious certification. And I think OWASP is the
>> >> right
>> >> body to it. There are already chapters all around the world to help
>> >> promote
>> >> this, and I think we should push for such certification, and urge
>> >> customers
>> >> to require all testers who work for them to have this certification.
>> >> The problem exists and gives a lot of pain to customers who hire
>> >> consultants. I've had customers who wanted our help in assessing
>> >> developers'
>> >> appsec skills along with other project requirements such as documented
>> >> threat modeling, the use of a code escrow, and more.
>> >> There have been discussions previously on this list. It seems the OWASP
>> >> leaders are divided into people who say "Why don't we take on the
>> >> responsibility to define what a pentester and an appsec aware developer
>> >> should know?" and people who say "OWASP is open and welcoming for
>> >> newbies as
>> >> well as the planet's finest. We should not become judges over
>> >> competence."
>> >> Apart from that there have been a number of practical issues.
>> >> * Should we cooperate with an established assessment provider such as
>> >> Prometric?
>> >> * Should OWASP provide taylormade training for the certification?
>> >> * Can we require chapter leaders to manage this on a
>> >> local/regional/national level without paying them?
>> >> * Should we cooperate or even try to merge with existing certifications
>> >> such as GSSP or CSSLP?
>> >> Personally, I like the idea of an independent OWASP certifications
>> >> (perhaps two - one for developers and one for testers). But I'm not
>> >> sure how
>> >> we should deal with the practical issues.
>> >>    Regards, John (Sweden)
>> >> _______________________________________________
>> >> OWASP-Leaders mailing list
>> >> OWASP-Leaders at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >>
>> >
>> >
>> > _______________________________________________
>> > OWASP-Leaders mailing list
>> > OWASP-Leaders at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> >
>> >
>>
>>
>> --
>> http://www.linkedin.com/in/stephencraigevans
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> --
>> Eoin Keary
>>
>> OWASP Code Review Guide Lead Author
>> OWASP Ireland Chapter Lead
>> OWASP Global Committee Member (Industry)
>>
>> http://asg.ie/
>> https://twitter.com/EoinKeary
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>



-- 
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule


More information about the OWASP-Leaders mailing list