[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Andrew Muller andrew.muller at owasp.org
Wed Aug 6 13:06:38 UTC 2014


Microsoft and ISO kinda beat OWASP to the punch on this one with 27034.


On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson <gary.robinson at owasp.org>
wrote:

> Yea instead of cert'ing people or code, can we certify companies SDLCs for
> security? Just like a company is certified for ISO 9001 or others? Would be
> great to see things like "Acme is OWASP certified for their secure
> development processes".
>
> If BSIMM or OpenSAMM are anything to go by then education of employees
> will be part of that company SDLC cert.
>
> Gary
>
> Gary D. Robinson, CISSP
>
> On 6 Aug 2014, at 11:36, Andrew Muller <andrew.muller at owasp.org> wrote:
>
> OWASP is good at writing guidance (code review guide) and standards
> (ASVS), so I don't think we should pollute the brand with certifications.
> We could possibly look at certifying organisations compliance with these
> standards but even this stinks of conflict and erosion of the OWASP brand.
>
> My 2c
>
>
> On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>> Id love to do something like this but I'm unsure if getting students to
>> test production code would warrant any type of robust certification. To
>> certify code / help ensure it is secure, we really need to build security
>> in rather than just test.
>> Certification would have to be a combination of design review, source
>> code analysis and testing. Similar to asvs level 4?
>> This would take tons of work and require a dedicated experienced
>> assessment team.
>>
>> -ek
>>
>>
>> Eoin Keary
>> Owasp Global Board
>> +353 87 977 2988
>>
>>
>> On 6 Aug 2014, at 02:41, Larry Conklin <larry.conklin at owasp.org> wrote:
>>
>>  Hi Jim I would also like to see us move into certification but instead
>> of certifying people. I think we should consider software. A certification
>> like what Underwriters Laboratories offers with  their "Seal of
>> Approval". We could start small certifying software scanners. We can offer
>> a free application(s) with known vulnerabilities that vendors can run their
>> code against to measure how well their scanner finds and reports the known
>> vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and Javascript.
>> We could also allow members to run their open source and third party
>> application against our code base to we could collect comprehensive
>> measurement of the effectiveness of each vendor scanner (both open source
>> and third party) and make this available to everyone who is considering
>> buying a scanner or a SAS service to scan software. The last thing we could
>> do would be to offer our own "seal of approval" if the vendor allowed us
>> to independently test their code. This would also be a great summer of code
>> for some students. We don't need to start big we just need to start. I have
>> never seen an independent study of FindBugs  that is not part of a research
>> paper and compares other tools. Just my two cents.  Hope you all miss
>> the majority of the hurricanes.  Stay safe! Larry
>>
>>
>> On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> I personally think OWASP should go full boar into AppSec professional
>>> certification, but there are real obstacles preventing it from happening
>>> right now.
>>>
>>> 1) Votes among our community have always said "no" to certification
>>>
>>> 2) The operational overhead with certification is very significant, and
>>> we are in the process of rebooting operations with Virtual, our new HR firm
>>>
>>> 3) We would be forced to keep exam questions in secret which is against
>>> our bylaws
>>>
>>> I think that if Virtual succeeds in maturing operations as I hope and
>>> pray that they do, we might be able to reconsider. But right now I feel we
>>> need to put our energies into current efforts.
>>>
>>> Respectfully,
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>> On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko (owasp)" <timur at owasp.org>
>>> wrote:
>>>
>>> See the item from the SANS newsletter below. (For my taste the last two
>>> sentences in it are more important in principle, and in my perspective the
>>> main topic of US national association is obviously ... abstract.) The
>>> question is *what do you think about OWASP engaging in AppSec
>>> specialists' certification*? (Probably the question is not new, and we
>>> do not follow ISACA deliberately, then please send me a link to some
>>> discussion about it.) Wouldn't it be nice to create a methodology to train
>>> and examine the AppSec professionals in domains where we supply knowledge
>>> and tools (dev, test and ... management)?! (I guess it can make our brand
>>> more interesting for the AppSec crowd, bring more money and make
>>> dissemination of our tools easier).
>>>
>>> ~timur
>>>
>>>  --Study Calls for Cyber Security Professional Organization
>>> (July 28 & August 1, 2014)
>>> A study from the Pell Center at Salve Regina University in Rhode Island
>>> acknowledges that "there are not enough people equipped with the
>>> appropriate knowledge, skills, and abilities to protect the information
>>> infrastructure, improve resilience, and leverage information technology
>>> for strategic advantage." The report "proposes the creation of a
>>> national professional association in cybersecurity to solidify the field
>>> as a profession, to support individuals engaged in this profession, to
>>> establish professional standards, prescribe education and training, and
>>> ... to support the public good."
>>>
>>> http://pellcenter.salvereginablogs.com/cybersecurity-report-recommends-path-to-professional-standards-in-cybersecurity-industry/
>>>
>>> http://www.fiercecio.com/story/pell-study-calls-creation-national-professional-cybersecurity-association/2014-08-01
>>> Study:
>>>
>>> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalization-of-Cybersecurity-7-28-14.pdf
>>> [Editor's Note (Assante): I learned long ago that a people-focused
>>> approach to cybersecurity brings with it the necessary clarity to
>>> understand the true nature of the challenges and establishes a clear
>>> framework for planning, engineering, and implementing measures that can
>>> be sustained and built upon.  We all know of countless organizations
>>> that reacted to a specific incident by implementing
>>> outside-expert-recommended technology only to fail in its deployment and
>>> operation.  Getting a competent handle on cybersecurity means engaging,
>>> integrating, equipping and training people to make the difference.  Our
>>> attention should turn to identifying and enhancing the knowledge and
>>> skills of cybersecurity professionals as a field while involving
>>> business architects and engineers to make cyber-informed decisions.
>>> Getting this right sets the stage for game changing progress in cyber
>>> resilience and defense.
>>> (Honan): This is something that I have argued for in the past,
>>> http://www.net-security.org/article.php?id=1842, To me the issue is not
>>> one of creating more qualifications for individuals working in the
>>> field, but on the lack of accountability for those that are practising
>>> in the industry but are providing below par services or products.
>>> (Paller): We can do reliable assessments for the technical roles -
>>> forensics, secure coding, penetration testing, intrusion detection,
>>> incident response, etc. *but any attempt to reliably measure skills for*
>>> *security managers and policy people is hopeless*. Why do you think
>>> there
>>> is no certification for corporate managers?]
>>>
>>>
>>> Email us to enforce secure link with your mail servers (domain).
>>> This message may contain confidential information - you should handle it
>>> accordingly.
>>> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140806/fbc05bd7/attachment-0001.html>


More information about the OWASP-Leaders mailing list