[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Tobias Glemser tobias.glemser at owasp.org
Wed Aug 6 15:31:51 UTC 2014


Hi there,

I fully understand the "why is there no OWASP Sticker, pardon me, OWASP Certificate"-question arises year after year. But to quote Jim

> 1) Votes among our community have always said "no" to certification
As a community driven organization _this_ is the most relevant thing to keep in mind in any discussion. If the participants think we should re-think the topic, because things change over time: Keep on going.

Always keep in mind: In 2012 we already had a "Certified Application Security Specialist" promoted at AppSecDC
See http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html 

Tobias

> -----Ursprüngliche Nachricht-----
> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
> Gesendet: Mittwoch, 6. August 2014 17:17
> An: Andrew Muller
> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x' Khrotko
> (owasp)
> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity workforce //
> OWASP certification [ Z1 UNGESICHERT ]
> 
> Hi,
> 
> Good point on ISO 27034, and I see we have a project 'OWASP ISO IEC 27034
> Application Security Controls' (hadn't seen before).  Would be good to see this
> catch on.
> 
> Gary
> 
> 
> 
> Gary D. Robinson, CISSP
> 
> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org> wrote:
> 
> 
> 
> 	Microsoft and ISO kinda beat OWASP to the punch on this one with
> 27034.
> 
> 
> 
> 	On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
> <gary.robinson at owasp.org> wrote:
> 
> 
> 		Yea instead of cert'ing people or code, can we certify
> companies SDLCs for security? Just like a company is certified for ISO 9001 or
> others? Would be great to see things like "Acme is OWASP certified for their
> secure development processes".
> 
> 		If BSIMM or OpenSAMM are anything to go by then education
> of employees will be part of that company SDLC cert.
> 
> 		Gary
> 
> 		Gary D. Robinson, CISSP
> 
> 		On 6 Aug 2014, at 11:36, Andrew Muller
> <andrew.muller at owasp.org> wrote:
> 
> 
> 
> 			OWASP is good at writing guidance (code review guide)
> and standards (ASVS), so I don't think we should pollute the brand with
> certifications. We could possibly look at certifying organisations compliance
> with these standards but even this stinks of conflict and erosion of the OWASP
> brand.
> 
> 
> 			My 2c
> 
> 
> 
> 			On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
> <eoin.keary at owasp.org> wrote:
> 
> 
> 				Id love to do something like this but I'm unsure
> if getting students to test production code would warrant any type of robust
> certification. To certify code / help ensure it is secure, we really need to build
> security in rather than just test.
> 				Certification would have to be a combination of
> design review, source code analysis and testing. Similar to asvs level 4?
> 				This would take tons of work and require a
> dedicated experienced assessment team.
> 
> 				-ek
> 
> 
> 
> 				Eoin Keary
> 				Owasp Global Board
> 				+353 87 977 2988
> <tel:%2B353%2087%20977%202988>
> 
> 
> 				On 6 Aug 2014, at 02:41, Larry Conklin
> <larry.conklin at owasp.org> wrote:
> 
> 
> 
> 
> 
> 					Hi Jim I would also like to see us move
> into certification but instead of certifying people. I think we should consider
> software. A certification like what Underwriters Laboratories offers with  their
> "Seal of Approval". We could start small certifying software scanners. We can
> offer a free application(s) with known vulnerabilities that vendors can run their
> code against to measure how well their scanner finds and reports the known
> vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and Javascript. We
> could also allow members to run their open source and third party application
> against our code base to we could collect comprehensive measurement of the
> effectiveness of each vendor scanner (both open source and third party) and
> make this available to everyone who is considering buying a scanner or a SAS
> service to scan software. The last thing we could do would be to offer our own
> "seal of approval" if the vendor allowed us to independently test their code.
> This would also be a great summer of code for some students. We don't need
> to start big we just need to start. I have never seen an independent study of
> FindBugs  that is not part of a research paper and compares other tools. Just
> my two cents.  Hope you all miss the majority of the hurricanes.  Stay safe!
> Larry
> 
> 
> 
> 					On Tue, Aug 5, 2014 at 6:43 PM, Jim
> Manico <jim.manico at owasp.org> wrote:
> 
> 
> 						I personally think OWASP
> should go full boar into AppSec professional certification, but there are real
> obstacles preventing it from happening right now.
> 
> 						1) Votes among our community
> have always said "no" to certification
> 
> 						2) The operational overhead
> with certification is very significant, and we are in the process of rebooting
> operations with Virtual, our new HR firm
> 
> 						3) We would be forced to keep
> exam questions in secret which is against our bylaws
> 
> 						I think that if Virtual succeeds
> in maturing operations as I hope and pray that they do, we might be able to
> reconsider. But right now I feel we need to put our energies into current
> efforts.
> 
> 						Respectfully,
> 						--
> 						Jim Manico
> 						@Manicode
> 						(808) 652-3805
> <tel:%28808%29%20652-3805>
> 
> 						On Aug 5, 2014, at 2:24 PM,
> "Timur 'x' Khrotko (owasp)" <timur at owasp.org> wrote:
> 
> 
> 
> 							See the item from the
> SANS newsletter below. (For my taste the last two sentences in it are more
> important in principle, and in my perspective the main topic of US national
> association is obviously ... abstract.) The question is what do you think about
> OWASP engaging in AppSec specialists' certification? (Probably the question is
> not new, and we do not follow ISACA deliberately, then please send me a link to
> some discussion about it.) Wouldn't it be nice to create a methodology to train
> and examine the AppSec professionals in domains where we supply knowledge
> and tools (dev, test and ... management)?! (I guess it can make our brand more
> interesting for the AppSec crowd, bring more money and make dissemination
> of our tools easier).
> 
> 							~timur
> 
> 
> 							 --Study Calls for Cyber
> Security Professional Organization
> 							(July 28 & August 1,
> 2014)
> 							A study from the Pell
> Center at Salve Regina University in Rhode Island
> 							acknowledges that
> "there are not enough people equipped with the
> 							appropriate knowledge,
> skills, and abilities to protect the information
> 							infrastructure, improve
> resilience, and leverage information technology
> 							for strategic
> advantage." The report "proposes the creation of a
> 							national professional
> association in cybersecurity to solidify the field
> 							as a profession, to
> support individuals engaged in this profession, to
> 							establish professional
> standards, prescribe education and training, and
> 							... to support the public
> good."
> 
> 	http://pellcenter.salvereginablogs.com/cybersecurity-report-
> recommends-path-to-professional-standards-in-cybersecurity-industry/
> 
> 	http://www.fiercecio.com/story/pell-study-calls-creation-national-
> professional-cybersecurity-association/2014-08-01
> 							Study:
> 
> 	http://pellcenter.salvereginablogs.com/files/2014/07/Professionalizatio
> n-of-Cybersecurity-7-28-14.pdf
> 							[Editor's Note
> (Assante): I learned long ago that a people-focused
> 							approach to
> cybersecurity brings with it the necessary clarity to
> 							understand the true
> nature of the challenges and establishes a clear
> 							framework for
> planning, engineering, and implementing measures that can
> 							be sustained and built
> upon.  We all know of countless organizations
> 							that reacted to a
> specific incident by implementing
> 							outside-expert-
> recommended technology only to fail in its deployment and
> 							operation.  Getting a
> competent handle on cybersecurity means engaging,
> 							integrating, equipping
> and training people to make the difference.  Our
> 							attention should turn to
> identifying and enhancing the knowledge and
> 							skills of cybersecurity
> professionals as a field while involving
> 							business architects and
> engineers to make cyber-informed decisions.
> 							Getting this right sets
> the stage for game changing progress in cyber
> 							resilience and defense.
> 							(Honan): This is
> something that I have argued for in the past,
> 							http://www.net-
> security.org/article.php?id=1842, To me the issue is not
> 							one of creating more
> qualifications for individuals working in the
> 							field, but on the lack of
> accountability for those that are practising
> 							in the industry but are
> providing below par services or products.
> 							(Paller): We can do
> reliable assessments for the technical roles -
> 							forensics, secure
> coding, penetration testing, intrusion detection,
> 							incident response, etc.
> but any attempt to reliably measure skills for
> 							security managers and
> policy people is hopeless. Why do you think there
> 							is no certification for
> corporate managers?]
> 
> 
> 
> 							Email us to enforce
> secure link with your mail servers (domain).
> 							This message may
> contain confidential information - you should handle it accordingly.
> 							Ez a levél bizalmas
> információt tartalmazhat, és ekként kezelendő.
> 
> 
> 	_______________________________________________
> 							OWASP-Leaders
> mailing list
> 							OWASP-
> Leaders at lists.owasp.org
> 
> 	https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> 	_______________________________________________
> 						OWASP-Leaders mailing list
> 						OWASP-
> Leaders at lists.owasp.org
> 
> 	https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> 
> 	_______________________________________________
> 					OWASP-Leaders mailing list
> 					OWASP-Leaders at lists.owasp.org
> 
> 	https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> 
> 	_______________________________________________
> 				OWASP-Leaders mailing list
> 				OWASP-Leaders at lists.owasp.org
> 				https://lists.owasp.org/mailman/listinfo/owasp-
> leaders
> 
> 
> 
> 
> 
> 	_______________________________________________
> 			OWASP-Leaders mailing list
> 			OWASP-Leaders at lists.owasp.org
> 			https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 




More information about the OWASP-Leaders mailing list