[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Jim Manico jim.manico at owasp.org
Wed Aug 6 16:26:01 UTC 2014


> Always keep in mind: In 2012 we already had a "Certified Application Security Specialist" promoted at AppSecDC

PS: That's the ASS-Cert and it was a hoax. :)

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Aug 6, 2014, at 8:33 AM, Tobias Glemser <tobias.glemser at owasp.org> wrote:
>
> Hi there,
>
> I fully understand the "why is there no OWASP Sticker, pardon me, OWASP Certificate"-question arises year after year. But to quote Jim
>
>> 1) Votes among our community have always said "no" to certification
> As a community driven organization _this_ is the most relevant thing to keep in mind in any discussion. If the participants think we should re-think the topic, because things change over time: Keep on going.
>
> Always keep in mind: In 2012 we already had a "Certified Application Security Specialist" promoted at AppSecDC
> See http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>
> Tobias
>
>> -----Ursprüngliche Nachricht-----
>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>> Gesendet: Mittwoch, 6. August 2014 17:17
>> An: Andrew Muller
>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x' Khrotko
>> (owasp)
>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity workforce //
>> OWASP certification [ Z1 UNGESICHERT ]
>>
>> Hi,
>>
>> Good point on ISO 27034, and I see we have a project 'OWASP ISO IEC 27034
>> Application Security Controls' (hadn't seen before).  Would be good to see this
>> catch on.
>>
>> Gary
>>
>>
>>
>> Gary D. Robinson, CISSP
>>
>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org> wrote:
>>
>>
>>
>>    Microsoft and ISO kinda beat OWASP to the punch on this one with
>> 27034.
>>
>>
>>
>>    On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>> <gary.robinson at owasp.org> wrote:
>>
>>
>>        Yea instead of cert'ing people or code, can we certify
>> companies SDLCs for security? Just like a company is certified for ISO 9001 or
>> others? Would be great to see things like "Acme is OWASP certified for their
>> secure development processes".
>>
>>        If BSIMM or OpenSAMM are anything to go by then education
>> of employees will be part of that company SDLC cert.
>>
>>        Gary
>>
>>        Gary D. Robinson, CISSP
>>
>>        On 6 Aug 2014, at 11:36, Andrew Muller
>> <andrew.muller at owasp.org> wrote:
>>
>>
>>
>>            OWASP is good at writing guidance (code review guide)
>> and standards (ASVS), so I don't think we should pollute the brand with
>> certifications. We could possibly look at certifying organisations compliance
>> with these standards but even this stinks of conflict and erosion of the OWASP
>> brand.
>>
>>
>>            My 2c
>>
>>
>>
>>            On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>> <eoin.keary at owasp.org> wrote:
>>
>>
>>                Id love to do something like this but I'm unsure
>> if getting students to test production code would warrant any type of robust
>> certification. To certify code / help ensure it is secure, we really need to build
>> security in rather than just test.
>>                Certification would have to be a combination of
>> design review, source code analysis and testing. Similar to asvs level 4?
>>                This would take tons of work and require a
>> dedicated experienced assessment team.
>>
>>                -ek
>>
>>
>>
>>                Eoin Keary
>>                Owasp Global Board
>>                +353 87 977 2988
>> <tel:%2B353%2087%20977%202988>
>>
>>
>>                On 6 Aug 2014, at 02:41, Larry Conklin
>> <larry.conklin at owasp.org> wrote:
>>
>>
>>
>>
>>
>>                    Hi Jim I would also like to see us move
>> into certification but instead of certifying people. I think we should consider
>> software. A certification like what Underwriters Laboratories offers with  their
>> "Seal of Approval". We could start small certifying software scanners. We can
>> offer a free application(s) with known vulnerabilities that vendors can run their
>> code against to measure how well their scanner finds and reports the known
>> vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and Javascript. We
>> could also allow members to run their open source and third party application
>> against our code base to we could collect comprehensive measurement of the
>> effectiveness of each vendor scanner (both open source and third party) and
>> make this available to everyone who is considering buying a scanner or a SAS
>> service to scan software. The last thing we could do would be to offer our own
>> "seal of approval" if the vendor allowed us to independently test their code.
>> This would also be a great summer of code for some students. We don't need
>> to start big we just need to start. I have never seen an independent study of
>> FindBugs  that is not part of a research paper and compares other tools. Just
>> my two cents.  Hope you all miss the majority of the hurricanes.  Stay safe!
>> Larry
>>
>>
>>
>>                    On Tue, Aug 5, 2014 at 6:43 PM, Jim
>> Manico <jim.manico at owasp.org> wrote:
>>
>>
>>                        I personally think OWASP
>> should go full boar into AppSec professional certification, but there are real
>> obstacles preventing it from happening right now.
>>
>>                        1) Votes among our community
>> have always said "no" to certification
>>
>>                        2) The operational overhead
>> with certification is very significant, and we are in the process of rebooting
>> operations with Virtual, our new HR firm
>>
>>                        3) We would be forced to keep
>> exam questions in secret which is against our bylaws
>>
>>                        I think that if Virtual succeeds
>> in maturing operations as I hope and pray that they do, we might be able to
>> reconsider. But right now I feel we need to put our energies into current
>> efforts.
>>
>>                        Respectfully,
>>                        --
>>                        Jim Manico
>>                        @Manicode
>>                        (808) 652-3805
>> <tel:%28808%29%20652-3805>
>>
>>                        On Aug 5, 2014, at 2:24 PM,
>> "Timur 'x' Khrotko (owasp)" <timur at owasp.org> wrote:
>>
>>
>>
>>                            See the item from the
>> SANS newsletter below. (For my taste the last two sentences in it are more
>> important in principle, and in my perspective the main topic of US national
>> association is obviously ... abstract.) The question is what do you think about
>> OWASP engaging in AppSec specialists' certification? (Probably the question is
>> not new, and we do not follow ISACA deliberately, then please send me a link to
>> some discussion about it.) Wouldn't it be nice to create a methodology to train
>> and examine the AppSec professionals in domains where we supply knowledge
>> and tools (dev, test and ... management)?! (I guess it can make our brand more
>> interesting for the AppSec crowd, bring more money and make dissemination
>> of our tools easier).
>>
>>                            ~timur
>>
>>
>>                             --Study Calls for Cyber
>> Security Professional Organization
>>                            (July 28 & August 1,
>> 2014)
>>                            A study from the Pell
>> Center at Salve Regina University in Rhode Island
>>                            acknowledges that
>> "there are not enough people equipped with the
>>                            appropriate knowledge,
>> skills, and abilities to protect the information
>>                            infrastructure, improve
>> resilience, and leverage information technology
>>                            for strategic
>> advantage." The report "proposes the creation of a
>>                            national professional
>> association in cybersecurity to solidify the field
>>                            as a profession, to
>> support individuals engaged in this profession, to
>>                            establish professional
>> standards, prescribe education and training, and
>>                            ... to support the public
>> good."
>>
>>    http://pellcenter.salvereginablogs.com/cybersecurity-report-
>> recommends-path-to-professional-standards-in-cybersecurity-industry/
>>
>>    http://www.fiercecio.com/story/pell-study-calls-creation-national-
>> professional-cybersecurity-association/2014-08-01
>>                            Study:
>>
>>    http://pellcenter.salvereginablogs.com/files/2014/07/Professionalizatio
>> n-of-Cybersecurity-7-28-14.pdf
>>                            [Editor's Note
>> (Assante): I learned long ago that a people-focused
>>                            approach to
>> cybersecurity brings with it the necessary clarity to
>>                            understand the true
>> nature of the challenges and establishes a clear
>>                            framework for
>> planning, engineering, and implementing measures that can
>>                            be sustained and built
>> upon.  We all know of countless organizations
>>                            that reacted to a
>> specific incident by implementing
>>                            outside-expert-
>> recommended technology only to fail in its deployment and
>>                            operation.  Getting a
>> competent handle on cybersecurity means engaging,
>>                            integrating, equipping
>> and training people to make the difference.  Our
>>                            attention should turn to
>> identifying and enhancing the knowledge and
>>                            skills of cybersecurity
>> professionals as a field while involving
>>                            business architects and
>> engineers to make cyber-informed decisions.
>>                            Getting this right sets
>> the stage for game changing progress in cyber
>>                            resilience and defense.
>>                            (Honan): This is
>> something that I have argued for in the past,
>>                            http://www.net-
>> security.org/article.php?id=1842, To me the issue is not
>>                            one of creating more
>> qualifications for individuals working in the
>>                            field, but on the lack of
>> accountability for those that are practising
>>                            in the industry but are
>> providing below par services or products.
>>                            (Paller): We can do
>> reliable assessments for the technical roles -
>>                            forensics, secure
>> coding, penetration testing, intrusion detection,
>>                            incident response, etc.
>> but any attempt to reliably measure skills for
>>                            security managers and
>> policy people is hopeless. Why do you think there
>>                            is no certification for
>> corporate managers?]
>>
>>
>>
>>                            Email us to enforce
>> secure link with your mail servers (domain).
>>                            This message may
>> contain confidential information - you should handle it accordingly.
>>                            Ez a levél bizalmas
>> információt tartalmazhat, és ekként kezelendő.
>>
>>
>>    _______________________________________________
>>                            OWASP-Leaders
>> mailing list
>>                            OWASP-
>> Leaders at lists.owasp.org
>>
>>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>    _______________________________________________
>>                        OWASP-Leaders mailing list
>>                        OWASP-
>> Leaders at lists.owasp.org
>>
>>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>
>>    _______________________________________________
>>                    OWASP-Leaders mailing list
>>                    OWASP-Leaders at lists.owasp.org
>>
>>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>    _______________________________________________
>>                OWASP-Leaders mailing list
>>                OWASP-Leaders at lists.owasp.org
>>                https://lists.owasp.org/mailman/listinfo/owasp-
>> leaders
>>
>>
>>
>>
>>
>>    _______________________________________________
>>            OWASP-Leaders mailing list
>>            OWASP-Leaders at lists.owasp.org
>>            https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list