[Owasp-leaders] [Global_education_committee] Commercialdelivery of courses based on OWASP materials

John Wilander john.wilander at owasp.org
Sun May 23 05:01:24 EDT 2010

2010/5/23 Brian Bertacini <brian at appsecconsulting.com>

> I respectfully recommend certain business requirements be validated prior
> to
> listing in the commercial services directory.  This will help add
> legitimacy
> to the program and reduce the potential for reputation risk caused by
> potential bad operators.  Please consider the following requirements below:

That sure makes me less interested in this idea :). As Antonio said, who
will do all these checks? Since legislation differs quite a lot we'll have
to have representation in every country or state where
these companies/institutions/proprietors do their business.

1.  companies/institutions/proprietors listed in the directory our subject
> business requirements validation
>    -  business legitimacy (posses a government issued business license, in
> good standing with tax collecting entities, etc.)

We'll have to set up a database of all these companies along with timestamps
for when we checked their good standing.

>    -  perform background checks on employees providing services (criminal
> history checks, etc.)

In many countries this is not an easy thing. Checking a person's criminal
history is not a phone call away.

>    -  minimum levels of insurance (general liability, technology errors &
> omissions, etc.)

Again with the database. And just defining what minimum insurance is? It'll
differ between countries. And a teacher might have good insurance coverage
in his/her own country but not when abroad.

2. implementation of a quality assurance program
>    -  develop, maintain and monitor QA standards
>    -  customer feedback/surveys (to monitor service providers)
>    -  a method for quality enforcement (remediation, etc.)

Many smaller consultancy firms do not have QA programs in any formal way.
That might be a problem for OWASP but let's say Dinis has his own firm and
wants to be part of this commercial delivery of courses. Does he have to
develop, maintain and monitor QA standards?

> 3. formal certification program and code of conduct
>   -  promote consistent and high-quality delivery of commercial services
>   -  maintain high ethical standards for service providers

If you mean a basic "Sign this ethical code of conduct for teachers giving
courses based on OWASP material" I think it's a good idea. For me, that's
the only reasonable requirement we can handle.

   Regards, John

John Wilander
Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
Conference chair OWASP AppSec Research 2010, http://owasp.se
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100523/72e16af7/attachment.html 

More information about the OWASP-Leaders mailing list