[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Jim Manico jim.manico at owasp.org
Tue Aug 5 23:43:44 UTC 2014

I personally think OWASP should go full boar into AppSec professional
certification, but there are real obstacles preventing it from happening
right now.

1) Votes among our community have always said "no" to certification

2) The operational overhead with certification is very significant, and we
are in the process of rebooting operations with Virtual, our new HR firm

3) We would be forced to keep exam questions in secret which is against our

I think that if Virtual succeeds in maturing operations as I hope and pray
that they do, we might be able to reconsider. But right now I feel we need
to put our energies into current efforts.

Jim Manico
(808) 652-3805

On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko (owasp)" <timur at owasp.org>

See the item from the SANS newsletter below. (For my taste the last two
sentences in it are more important in principle, and in my perspective the
main topic of US national association is obviously ... abstract.) The
question is *what do you think about OWASP engaging in AppSec specialists'
certification*? (Probably the question is not new, and we do not follow
ISACA deliberately, then please send me a link to some discussion about
it.) Wouldn't it be nice to create a methodology to train and examine the
AppSec professionals in domains where we supply knowledge and tools (dev,
test and ... management)?! (I guess it can make our brand more interesting
for the AppSec crowd, bring more money and make dissemination of our tools


 --Study Calls for Cyber Security Professional Organization
(July 28 & August 1, 2014)
A study from the Pell Center at Salve Regina University in Rhode Island
acknowledges that "there are not enough people equipped with the
appropriate knowledge, skills, and abilities to protect the information
infrastructure, improve resilience, and leverage information technology
for strategic advantage." The report "proposes the creation of a
national professional association in cybersecurity to solidify the field
as a profession, to support individuals engaged in this profession, to
establish professional standards, prescribe education and training, and
... to support the public good."
[Editor's Note (Assante): I learned long ago that a people-focused
approach to cybersecurity brings with it the necessary clarity to
understand the true nature of the challenges and establishes a clear
framework for planning, engineering, and implementing measures that can
be sustained and built upon.  We all know of countless organizations
that reacted to a specific incident by implementing
outside-expert-recommended technology only to fail in its deployment and
operation.  Getting a competent handle on cybersecurity means engaging,
integrating, equipping and training people to make the difference.  Our
attention should turn to identifying and enhancing the knowledge and
skills of cybersecurity professionals as a field while involving
business architects and engineers to make cyber-informed decisions.
Getting this right sets the stage for game changing progress in cyber
resilience and defense.
(Honan): This is something that I have argued for in the past,
http://www.net-security.org/article.php?id=1842, To me the issue is not
one of creating more qualifications for individuals working in the
field, but on the lack of accountability for those that are practising
in the industry but are providing below par services or products.
(Paller): We can do reliable assessments for the technical roles -
forensics, secure coding, penetration testing, intrusion detection,
incident response, etc. *but any attempt to reliably measure skills for*
*security managers and policy people is hopeless*. Why do you think there
is no certification for corporate managers?]

Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.

OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140805/c39d10b8/attachment-0001.html>

More information about the OWASP-Leaders mailing list