[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Dinis Cruz dinis.cruz at owasp.org
Wed Aug 6 08:31:39 UTC 2014

Hi Timur see this post for a model that (n my view) is one that can work at
owasp: http://blog.diniscruz.com/2010/11/owasp-and-certifications.html

At the last Summit (2011) we created the 'Code of Conduct Red book' which
provided a set of more official guidelines on how to do certification at
owasp: https://www.owasp.org/index.php/OWASP_Codes_of_Conduct

For an example of what a set of public questions/answers could look like,
take a look at
On 5 Aug 2014 22:24, "Timur 'x' Khrotko (owasp)" <timur at owasp.org> wrote:

> See the item from the SANS newsletter below. (For my taste the last two
> sentences in it are more important in principle, and in my perspective the
> main topic of US national association is obviously ... abstract.) The
> question is *what do you think about OWASP engaging in AppSec
> specialists' certification*? (Probably the question is not new, and we do
> not follow ISACA deliberately, then please send me a link to some
> discussion about it.) Wouldn't it be nice to create a methodology to train
> and examine the AppSec professionals in domains where we supply knowledge
> and tools (dev, test and ... management)?! (I guess it can make our brand
> more interesting for the AppSec crowd, bring more money and make
> dissemination of our tools easier).
> ~timur
>  --Study Calls for Cyber Security Professional Organization
> (July 28 & August 1, 2014)
> A study from the Pell Center at Salve Regina University in Rhode Island
> acknowledges that "there are not enough people equipped with the
> appropriate knowledge, skills, and abilities to protect the information
> infrastructure, improve resilience, and leverage information technology
> for strategic advantage." The report "proposes the creation of a
> national professional association in cybersecurity to solidify the field
> as a profession, to support individuals engaged in this profession, to
> establish professional standards, prescribe education and training, and
> ... to support the public good."
> http://pellcenter.salvereginablogs.com/cybersecurity-report-recommends-path-to-professional-standards-in-cybersecurity-industry/
> http://www.fiercecio.com/story/pell-study-calls-creation-national-professional-cybersecurity-association/2014-08-01
> Study:
> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalization-of-Cybersecurity-7-28-14.pdf
> [Editor's Note (Assante): I learned long ago that a people-focused
> approach to cybersecurity brings with it the necessary clarity to
> understand the true nature of the challenges and establishes a clear
> framework for planning, engineering, and implementing measures that can
> be sustained and built upon.  We all know of countless organizations
> that reacted to a specific incident by implementing
> outside-expert-recommended technology only to fail in its deployment and
> operation.  Getting a competent handle on cybersecurity means engaging,
> integrating, equipping and training people to make the difference.  Our
> attention should turn to identifying and enhancing the knowledge and
> skills of cybersecurity professionals as a field while involving
> business architects and engineers to make cyber-informed decisions.
> Getting this right sets the stage for game changing progress in cyber
> resilience and defense.
> (Honan): This is something that I have argued for in the past,
> http://www.net-security.org/article.php?id=1842, To me the issue is not
> one of creating more qualifications for individuals working in the
> field, but on the lack of accountability for those that are practising
> in the industry but are providing below par services or products.
> (Paller): We can do reliable assessments for the technical roles -
> forensics, secure coding, penetration testing, intrusion detection,
> incident response, etc. *but any attempt to reliably measure skills for*
> *security managers and policy people is hopeless*. Why do you think there
> is no certification for corporate managers?]
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140806/d0481b7b/attachment-0001.html>

More information about the OWASP-Leaders mailing list