[Owasp-leaders] Federal licensing for "CybersecurityProfessionals"

Tom Brennan - OWASP tomb at owasp.org
Tue Sep 1 08:28:37 EDT 2009

James McGovern worked on the OWASP Certification (
proposal and at OWASP Summit, Portugal we collectively debated this with
everyone in attendance and it was determined by a majority vote that
certification would not be a direction for OWASP Foundation Inc.,at that
time and did not pass.  At the time we we did not have the people able to be
dedicated to the effort, infrastructure, desire or goals (mission) to do so
however any organization is of course free to use our materials in making a
better mousetrap. So anyone that wants to start there own company for
certification or a existing firm (example: ISC2, SAN, ISCA, ISSA, etc... )
good luck.

Mano Paul and the Global Education Committee have been working various
projects even a online framework and this would of course fall into that
bucket (Education)  I encourage EVERYONE who would like to work on this or
any of the many outlined items to actually get involved and spend some
cycles see:

*http://www.owasp.org/index.php/Global_Education_Committee*  review the
hardwork, get on that mailing list and be involved.

The only guidelines that must be considered considered by ALL local
chapters, projects and global committees and the board are outlined as:  Code
of Ethics and Principles hence: http://www.owasp.org/index.php/About_OWASPFor
those that are not clear the next OWASP SUMMIT will be at the November USA
conference Nov 10th-13th where we will actually have a dedicated full day
for those that are card carrying MEMBERS OF OWASP to cast a vote on some
very important items effecting OWASP.  Details to follow:

So if you are asking how/who effects the direction of OWASP Foundation
globally the answer is:
http://www.owasp.org/index.php/Global_Committee_Pages  so get involved
and/or review http://www.owasp.org/index.php/OWASP_Board_Meetings for
history information.

On Mon, Aug 31, 2009 at 10:24 PM, Ralph Durkee <rd at rd1.net> wrote:

>  What you've said really struck a cord, and I agree with all of what you
> said with respect to the lack of impact of gov regulation and military
> project efforts.  However I think there have been some progress in other
> areas of certification, and maybe OWASP can avoid the dangers stated, while
> finding opportunities else where.  I think there's 2 areas  of non-gov
> certifications that have made an impact.  The PCI standards can also be
> viewed as an organization or application certification. While they are far
> from perfect, they have made significant impact on most of the organizations
> that have been implemented them.  Also I think the SANS GIAC personal
> certifications have made a significant impact on the industry (yes, I do
> some teaching for SANS and do some PCI consulting).  Sure it's easy to
> criticize that they also generate plenty of revenue for those on the inside,
> but they also have had an impact. Of course neither fits the OWASP open
> volunteer-ism models, and I don't want try to DoS OWASP with something we're
> not ready for, but  there's obvious needs in the area, that I'd rather see
> OWASP meet then someone else.  I don't know... Maybe it's time to be more
> flexible in our models.
> -- Ralph Durkee
> Rochester OWASP
> Adam Muntner wrote:
> Even if you disagree with my comment about the qualitative difference
> between boutiques and the big guys, I think we can probably all agree that
> the competition and differences the boutiques offer are good for the
> industry as a whole, and driving many of them from business will be bad for
> it.
> On Mon, Aug 31, 2009 at 9:07 AM, Adam Muntner <adam.muntner at quietmove.com>wrote:
>> My expectation is that the licensing requirements, as is the case for many
>> other industries, will be complex and expensive to comply with. The
>> additional financial and administrative overhead will benefit large
>> consulting organizations, at the expense of boutique consultancies, and will
>> not lead to any organizations being served better. It will also drive a lot
>> of very talented and now ethical former Black Hats out of the industry.
>> As someone who has worked for the big guys (IBM 2000-2003), had friends at
>> all the other big guys, worked for other Security boutiques (Accuvant), and
>> founded my own, and been a security officer who has engaged both approaches,
>> it's pretty obvious to me that the specialized boutiques offer,
>> qualitatively, far better service to their clients than do the big guys. But
>> whereas the IBMs, Verizon Business Services, E&Y's etc of the world have
>> lobbyists and fund electoral campaigns, we do not.
>> I can guarantee that an open, volunteer-driven organization like OWASP
>> will have no role in this process, because it's not something the
>> legislators can control. We've also been down the road of an "OWASP
>> Certification" for individuals on this list in the past, and once the
>> cost/benefit and risk became apparrent, it was dubbed something along the
>> lines of how to DoS OWASP.
>> The major problems with InfoSec, inside and outside the Federal
>> Government, are not going to be solved by a new formal certification
>> criteria, but it might make them worse.
>> On Mon, Aug 31, 2009 at 7:04 AM, Marcin Wielgoszewski <marcin at owasp.org>wrote:
>>> I won't be holding my breath.
>>> -Marcin
>>> On Mon, Aug 31, 2009 at 9:53 AM, McGovern, James F (HTSC, IT) <
>>> James.McGovern at thehartford.com> wrote:
>>>>  My take on this says that this could be positive for OWASP as the
>>>> government may also figure out that certification requires competencies in
>>>> certain things such as web application security. Likewise, wouldn't it be
>>>> cool if part of the Government certification, you also had to be certified
>>>> by OWASP.
>>>> On 28 Aug 2009, at 17:56, Adam Muntner <adam.muntner at quietmove.com>
>>>> wrote:
>>>>  http://news.cnet.com/8301-13578_3-10320096-38.html
>>>> The new version would allow the president to "declare a cybersecurity
>>>> emergency" relating to "non-governmental" computer networks and do what's
>>>> necessary to respond to the threat. Other sections of the proposal include a
>>>> federal certification program for "cybersecurity professionals," and a
>>>> requirement that certain computer systems and networks in the private sector
>>>> be managed by people who have been awarded that license.
>>>> I can think of a few ways in which this would negatively impact OWASP.
>>>> Just wanted to make you aware of it, if you haven't seen it in the computer
>>>> press.
>>>>   _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>  ************************************************************
>>>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>>>> ************************************************************
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> Adam Muntner, CISSP
> Managing Partner
> QuietMove, Inc.
> http://www.QuietMove.com
> cellular: 1(602) 793-5969
> office: 1(866) 894-0459
> fax: 1(866) 272-8194
> QuietMove: Information Security Experts
> Penetration Testing, Website Security
> IT Governance, Risk, and Compliance
> ------------------------------
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

Tom Brennan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20090901/80c690fd/attachment.html 

More information about the OWASP-Leaders mailing list