[Owasp-leaders] [Global_education_committee] Commercialdelivery of courses based on OWASP materials

Mike Boberski mike.boberski at gmail.com
Sun May 23 12:04:56 EDT 2010

All we're really shooting for here is a phone book, one that's sorted
according to some OWASP artifacts as they are currently categorized, to try
to nudge the planet along in adoption of them, to get consumers of services
of those types to ask for them.

An encapsulating accreditation program(s) of any nature is not doable with
OWASP for many reasons. Many different approaches have been explored over
the past two years or so, the phone book/Drupal-like listing that is run
like the OWASP jobs page is what is possible.

I'm currently even leaning towards further backing off the Drupal listing
and go with what CC/FIPS do, and just put the company name and contact info
in each listing, to further tweak what I have up there right now, to further
proactively head off any additional concerns. I also would like to work with
Tom to tweak some of the titles, and I could use a hand to further pretty it
up, I know there are folks out there a lot better at that kinda thing than

Let us keep it simple, let us keep in mind that just as there are the
various lists like this one to provide advice and suggestions for
improvement as we move forward with this, that the board is providing direct
oversight, and that OWASP sys admins will retain complete administrative
control, again just like the jobs page.


On Sun, May 23, 2010 at 5:01 AM, John Wilander <john.wilander at owasp.org>wrote:

> 2010/5/23 Brian Bertacini <brian at appsecconsulting.com>
> I respectfully recommend certain business requirements be validated prior
>> to
>> listing in the commercial services directory.  This will help add
>> legitimacy
>> to the program and reduce the potential for reputation risk caused by
>> potential bad operators.  Please consider the following requirements
>> below:
> That sure makes me less interested in this idea :). As Antonio said, who
> will do all these checks? Since legislation differs quite a lot we'll have
> to have representation in every country or state where
> these companies/institutions/proprietors do their business.
> 1.  companies/institutions/proprietors listed in the directory our subject
>> business requirements validation
>>    -  business legitimacy (posses a government issued business license, in
>> good standing with tax collecting entities, etc.)
> We'll have to set up a database of all these companies along with
> timestamps for when we checked their good standing.
>>    -  perform background checks on employees providing services (criminal
>> history checks, etc.)
> In many countries this is not an easy thing. Checking a person's criminal
> history is not a phone call away.
>>    -  minimum levels of insurance (general liability, technology errors &
>> omissions, etc.)
> Again with the database. And just defining what minimum insurance is? It'll
> differ between countries. And a teacher might have good insurance coverage
> in his/her own country but not when abroad.
> 2. implementation of a quality assurance program
>>    -  develop, maintain and monitor QA standards
>>    -  customer feedback/surveys (to monitor service providers)
>>    -  a method for quality enforcement (remediation, etc.)
> Many smaller consultancy firms do not have QA programs in any formal way.
> That might be a problem for OWASP but let's say Dinis has his own firm and
> wants to be part of this commercial delivery of courses. Does he have to
> develop, maintain and monitor QA standards?
>> 3. formal certification program and code of conduct
>>   -  promote consistent and high-quality delivery of commercial services
>>   -  maintain high ethical standards for service providers
> If you mean a basic "Sign this ethical code of conduct for teachers giving
> courses based on OWASP material" I think it's a good idea. For me, that's
> the only reasonable requirement we can handle.
>    Regards, John
> --
> John Wilander
> Chapter leader OWASP Sweden, http://owaspsweden.blogspot.com
> Conference chair OWASP AppSec Research 2010, http://owasp.se
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-leaders/attachments/20100523/1349c154/attachment.html 

More information about the OWASP-Leaders mailing list