[Owasp-leaders] Federal licensing for "CybersecurityProfessionals"
seba at owasp.org
Wed Sep 2 03:02:26 EDT 2009
We are currently reviewing on how to handle certification questions with the
Global Education Committee (GEC)
Various options are open and external organisations (such as ISC2) are
proposing to work on this together with OWASP.
Our motivation is to provide the community with high quality training
material, work together with educational institutes worldwide and strengthen
OWASP in being the default body of knowledge when it comes to web
application security resources.
If you can spare a few cycles, join us on the GEC mailing list
introduce yourself and let's work together on this.
On Tue, Sep 1, 2009 at 2:28 PM, Tom Brennan - OWASP <tomb at owasp.org> wrote:
> James McGovern worked on the OWASP Certification (
> proposal and at OWASP Summit, Portugal we collectively debated this with
> everyone in attendance and it was determined by a majority vote that
> certification would not be a direction for OWASP Foundation Inc.,at that
> time and did not pass. At the time we we did not have the people able to be
> dedicated to the effort, infrastructure, desire or goals (mission) to do so
> however any organization is of course free to use our materials in making a
> better mousetrap. So anyone that wants to start there own company for
> certification or a existing firm (example: ISC2, SAN, ISCA, ISSA, etc... )
> good luck.
> Mano Paul and the Global Education Committee have been working various
> projects even a online framework and this would of course fall into that
> bucket (Education) I encourage EVERYONE who would like to work on this or
> any of the many outlined items to actually get involved and spend some
> cycles see:
> *http://www.owasp.org/index.php/Global_Education_Committee* review the
> hardwork, get on that mailing list and be involved.
> The only guidelines that must be considered considered by ALL local
> chapters, projects and global committees and the board are outlined as: Code
> of Ethics and Principles hence: http://www.owasp.org/index.php/About_OWASPFor those that are not clear the next OWASP SUMMIT will be at the November
> USA conference Nov 10th-13th where we will actually have a dedicated full
> day for those that are card carrying MEMBERS OF OWASP to cast a vote on some
> very important items effecting OWASP. Details to follow:
> So if you are asking how/who effects the direction of OWASP Foundation
> globally the answer is:
> http://www.owasp.org/index.php/Global_Committee_Pages so get involved
> and/or review http://www.owasp.org/index.php/OWASP_Board_Meetings for
> history information.
> On Mon, Aug 31, 2009 at 10:24 PM, Ralph Durkee <rd at rd1.net> wrote:
>> What you've said really struck a cord, and I agree with all of what you
>> said with respect to the lack of impact of gov regulation and military
>> project efforts. However I think there have been some progress in other
>> areas of certification, and maybe OWASP can avoid the dangers stated, while
>> finding opportunities else where. I think there's 2 areas of non-gov
>> certifications that have made an impact. The PCI standards can also be
>> viewed as an organization or application certification. While they are far
>> from perfect, they have made significant impact on most of the organizations
>> that have been implemented them. Also I think the SANS GIAC personal
>> certifications have made a significant impact on the industry (yes, I do
>> some teaching for SANS and do some PCI consulting). Sure it's easy to
>> criticize that they also generate plenty of revenue for those on the inside,
>> but they also have had an impact. Of course neither fits the OWASP open
>> volunteer-ism models, and I don't want try to DoS OWASP with something we're
>> not ready for, but there's obvious needs in the area, that I'd rather see
>> OWASP meet then someone else. I don't know... Maybe it's time to be more
>> flexible in our models.
>> -- Ralph Durkee
>> Rochester OWASP
>> Adam Muntner wrote:
>> Even if you disagree with my comment about the qualitative difference
>> between boutiques and the big guys, I think we can probably all agree that
>> the competition and differences the boutiques offer are good for the
>> industry as a whole, and driving many of them from business will be bad for
>> On Mon, Aug 31, 2009 at 9:07 AM, Adam Muntner <adam.muntner at quietmove.com
>> > wrote:
>>> My expectation is that the licensing requirements, as is the case for
>>> many other industries, will be complex and expensive to comply with. The
>>> additional financial and administrative overhead will benefit large
>>> consulting organizations, at the expense of boutique consultancies, and will
>>> not lead to any organizations being served better. It will also drive a lot
>>> of very talented and now ethical former Black Hats out of the industry.
>>> As someone who has worked for the big guys (IBM 2000-2003), had friends
>>> at all the other big guys, worked for other Security boutiques (Accuvant),
>>> and founded my own, and been a security officer who has engaged both
>>> approaches, it's pretty obvious to me that the specialized boutiques offer,
>>> qualitatively, far better service to their clients than do the big guys. But
>>> whereas the IBMs, Verizon Business Services, E&Y's etc of the world have
>>> lobbyists and fund electoral campaigns, we do not.
>>> I can guarantee that an open, volunteer-driven organization like OWASP
>>> will have no role in this process, because it's not something the
>>> legislators can control. We've also been down the road of an "OWASP
>>> Certification" for individuals on this list in the past, and once the
>>> cost/benefit and risk became apparrent, it was dubbed something along the
>>> lines of how to DoS OWASP.
>>> The major problems with InfoSec, inside and outside the Federal
>>> Government, are not going to be solved by a new formal certification
>>> criteria, but it might make them worse.
>>> On Mon, Aug 31, 2009 at 7:04 AM, Marcin Wielgoszewski <marcin at owasp.org>wrote:
>>>> I won't be holding my breath.
>>>> On Mon, Aug 31, 2009 at 9:53 AM, McGovern, James F (HTSC, IT) <
>>>> James.McGovern at thehartford.com> wrote:
>>>>> My take on this says that this could be positive for OWASP as the
>>>>> government may also figure out that certification requires competencies in
>>>>> certain things such as web application security. Likewise, wouldn't it be
>>>>> cool if part of the Government certification, you also had to be certified
>>>>> by OWASP.
>>>>> On 28 Aug 2009, at 17:56, Adam Muntner <adam.muntner at quietmove.com>
>>>>> The new version would allow the president to "declare a cybersecurity
>>>>> emergency" relating to "non-governmental" computer networks and do what's
>>>>> necessary to respond to the threat. Other sections of the proposal include a
>>>>> federal certification program for "cybersecurity professionals," and a
>>>>> requirement that certain computer systems and networks in the private sector
>>>>> be managed by people who have been awarded that license.
>>>>> I can think of a few ways in which this would negatively impact OWASP.
>>>>> Just wanted to make you aware of it, if you haven't seen it in the computer
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>> Adam Muntner, CISSP
>> Managing Partner
>> QuietMove, Inc.
>> cellular: 1(602) 793-5969
>> office: 1(866) 894-0459
>> fax: 1(866) 272-8194
>> QuietMove: Information Security Experts
>> Penetration Testing, Website Security
>> IT Governance, Risk, and Compliance
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> Tom Brennan
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders