[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Larry Conklin larry.conklin at owasp.org
Wed Aug 6 01:41:15 UTC 2014

Hi Jim I would also like to see us move into certification but instead of
certifying people. I think we should consider software. A certification
like what Underwriters Laboratories offers with  their "Seal of Approval".
We could start small certifying software scanners. We can offer a
free application(s) with known vulnerabilities that vendors can run their
code against to measure how well their scanner finds and reports the known
vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and Javascript.
We could also allow members to run their open source and third party
application against our code base to we could collect comprehensive
measurement of the effectiveness of each vendor scanner (both open source
and third party) and make this available to everyone who is considering
buying a scanner or a SAS service to scan software. The last thing we could
do would be to offer our own "seal of approval" if the vendor allowed us
to independently test their code. This would also be a great summer of code
for some students. We don't need to start big we just need to start. I have
never seen an independent study of FindBugs  that is not part of a research
paper and compares other tools. Just my two cents.  Hope you all miss the
majority of the hurricanes.  Stay safe! Larry

On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I personally think OWASP should go full boar into AppSec professional
> certification, but there are real obstacles preventing it from happening
> right now.
> 1) Votes among our community have always said "no" to certification
> 2) The operational overhead with certification is very significant, and we
> are in the process of rebooting operations with Virtual, our new HR firm
> 3) We would be forced to keep exam questions in secret which is against
> our bylaws
> I think that if Virtual succeeds in maturing operations as I hope and pray
> that they do, we might be able to reconsider. But right now I feel we need
> to put our energies into current efforts.
> Respectfully,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko (owasp)" <timur at owasp.org>
> wrote:
> See the item from the SANS newsletter below. (For my taste the last two
> sentences in it are more important in principle, and in my perspective the
> main topic of US national association is obviously ... abstract.) The
> question is *what do you think about OWASP engaging in AppSec
> specialists' certification*? (Probably the question is not new, and we do
> not follow ISACA deliberately, then please send me a link to some
> discussion about it.) Wouldn't it be nice to create a methodology to train
> and examine the AppSec professionals in domains where we supply knowledge
> and tools (dev, test and ... management)?! (I guess it can make our brand
> more interesting for the AppSec crowd, bring more money and make
> dissemination of our tools easier).
> ~timur
>  --Study Calls for Cyber Security Professional Organization
> (July 28 & August 1, 2014)
> A study from the Pell Center at Salve Regina University in Rhode Island
> acknowledges that "there are not enough people equipped with the
> appropriate knowledge, skills, and abilities to protect the information
> infrastructure, improve resilience, and leverage information technology
> for strategic advantage." The report "proposes the creation of a
> national professional association in cybersecurity to solidify the field
> as a profession, to support individuals engaged in this profession, to
> establish professional standards, prescribe education and training, and
> ... to support the public good."
> http://pellcenter.salvereginablogs.com/cybersecurity-report-recommends-path-to-professional-standards-in-cybersecurity-industry/
> http://www.fiercecio.com/story/pell-study-calls-creation-national-professional-cybersecurity-association/2014-08-01
> Study:
> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalization-of-Cybersecurity-7-28-14.pdf
> [Editor's Note (Assante): I learned long ago that a people-focused
> approach to cybersecurity brings with it the necessary clarity to
> understand the true nature of the challenges and establishes a clear
> framework for planning, engineering, and implementing measures that can
> be sustained and built upon.  We all know of countless organizations
> that reacted to a specific incident by implementing
> outside-expert-recommended technology only to fail in its deployment and
> operation.  Getting a competent handle on cybersecurity means engaging,
> integrating, equipping and training people to make the difference.  Our
> attention should turn to identifying and enhancing the knowledge and
> skills of cybersecurity professionals as a field while involving
> business architects and engineers to make cyber-informed decisions.
> Getting this right sets the stage for game changing progress in cyber
> resilience and defense.
> (Honan): This is something that I have argued for in the past,
> http://www.net-security.org/article.php?id=1842, To me the issue is not
> one of creating more qualifications for individuals working in the
> field, but on the lack of accountability for those that are practising
> in the industry but are providing below par services or products.
> (Paller): We can do reliable assessments for the technical roles -
> forensics, secure coding, penetration testing, intrusion detection,
> incident response, etc. *but any attempt to reliably measure skills for*
> *security managers and policy people is hopeless*. Why do you think there
> is no certification for corporate managers?]
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140805/a0593b5d/attachment.html>

More information about the OWASP-Leaders mailing list