[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Timur 'x' Khrotko (owasp) timur at owasp.org
Wed Aug 6 16:38:56 UTC 2014


Hy,

as any organization, our community is not something static or source of
fixed authentic assessment, and as leaders we influence the change of
ideology -- in the frame of some basic/holy rules of that ideology/code.

Sidenote: I would suggest not to mix the topics of our certification of
products and people. (Yes, the 'OWASP certified' label on sw is what market
would applaud us for, but it is a different matter and a different thread.)

My comments so far:

The fact that we don't like the way professional certification is done by
other organizations does not mean we are not able to do it better. If there
is objective demand for AppSec professionals certification, probably it is
better to establish our facility to fulfill that demand right, instead of
later complaining about others doing that in lame/greedy/etc manner again.
Probably we can show how to do it right, probably we ought to if other
players distort the profession.

For my understanding professional training and certification is modular
business: methodology, training materials, teaching, facilitation of
courses, examination, facilitation of examination, periodic review of
materials, registration, administration, etc. -- these are distinct
services. As it has already been mentioned in this thread, we can do it
with right partners, staying on the grounds comfortable for us:
document/methodology projects, monitoring the conduct, run the registration.

The profit aspect can also be handled in a way we accept as right. The
community, the organization should not be involved in high profit modules
of the business (and probably has to control the profitable modules to
remain in non-greedy margins). Our organisation needs revenue to support
our operation and more revenue to promote our projects and ideology. We
have transparent channels and handling of money, so I am not to afraid of
channeling more money into it.

Regards:


~timur




On Wed, Aug 6, 2014 at 6:26 PM, Jim Manico <jim.manico at owasp.org> wrote:

> > Always keep in mind: In 2012 we already had a "Certified Application
> Security Specialist" promoted at AppSecDC
>
> PS: That's the ASS-Cert and it was a hoax. :)
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> > On Aug 6, 2014, at 8:33 AM, Tobias Glemser <tobias.glemser at owasp.org>
> wrote:
> >
> > Hi there,
> >
> > I fully understand the "why is there no OWASP Sticker, pardon me, OWASP
> Certificate"-question arises year after year. But to quote Jim
> >
> >> 1) Votes among our community have always said "no" to certification
> > As a community driven organization _this_ is the most relevant thing to
> keep in mind in any discussion. If the participants think we should
> re-think the topic, because things change over time: Keep on going.
> >
> > Always keep in mind: In 2012 we already had a "Certified Application
> Security Specialist" promoted at AppSecDC
> > See
> http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
> >
> > Tobias
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> >> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
> >> Gesendet: Mittwoch, 6. August 2014 17:17
> >> An: Andrew Muller
> >> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
> Khrotko
> >> (owasp)
> >> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
> workforce //
> >> OWASP certification [ Z1 UNGESICHERT ]
> >>
> >> Hi,
> >>
> >> Good point on ISO 27034, and I see we have a project 'OWASP ISO IEC
> 27034
> >> Application Security Controls' (hadn't seen before).  Would be good to
> see this
> >> catch on.
> >>
> >> Gary
> >>
> >>
> >>
> >> Gary D. Robinson, CISSP
> >>
> >> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org> wrote:
> >>
> >>
> >>
> >>    Microsoft and ISO kinda beat OWASP to the punch on this one with
> >> 27034.
> >>
> >>
> >>
> >>    On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
> >> <gary.robinson at owasp.org> wrote:
> >>
> >>
> >>        Yea instead of cert'ing people or code, can we certify
> >> companies SDLCs for security? Just like a company is certified for ISO
> 9001 or
> >> others? Would be great to see things like "Acme is OWASP certified for
> their
> >> secure development processes".
> >>
> >>        If BSIMM or OpenSAMM are anything to go by then education
> >> of employees will be part of that company SDLC cert.
> >>
> >>        Gary
> >>
> >>        Gary D. Robinson, CISSP
> >>
> >>        On 6 Aug 2014, at 11:36, Andrew Muller
> >> <andrew.muller at owasp.org> wrote:
> >>
> >>
> >>
> >>            OWASP is good at writing guidance (code review guide)
> >> and standards (ASVS), so I don't think we should pollute the brand with
> >> certifications. We could possibly look at certifying organisations
> compliance
> >> with these standards but even this stinks of conflict and erosion of
> the OWASP
> >> brand.
> >>
> >>
> >>            My 2c
> >>
> >>
> >>
> >>            On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
> >> <eoin.keary at owasp.org> wrote:
> >>
> >>
> >>                Id love to do something like this but I'm unsure
> >> if getting students to test production code would warrant any type of
> robust
> >> certification. To certify code / help ensure it is secure, we really
> need to build
> >> security in rather than just test.
> >>                Certification would have to be a combination of
> >> design review, source code analysis and testing. Similar to asvs level
> 4?
> >>                This would take tons of work and require a
> >> dedicated experienced assessment team.
> >>
> >>                -ek
> >>
> >>
> >>
> >>                Eoin Keary
> >>                Owasp Global Board
> >>                +353 87 977 2988
> >> <tel:%2B353%2087%20977%202988>
> >>
> >>
> >>                On 6 Aug 2014, at 02:41, Larry Conklin
> >> <larry.conklin at owasp.org> wrote:
> >>
> >>
> >>
> >>
> >>
> >>                    Hi Jim I would also like to see us move
> >> into certification but instead of certifying people. I think we should
> consider
> >> software. A certification like what Underwriters Laboratories offers
> with  their
> >> "Seal of Approval". We could start small certifying software scanners.
> We can
> >> offer a free application(s) with known vulnerabilities that vendors can
> run their
> >> code against to measure how well their scanner finds and reports the
> known
> >> vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and
> Javascript. We
> >> could also allow members to run their open source and third party
> application
> >> against our code base to we could collect comprehensive measurement of
> the
> >> effectiveness of each vendor scanner (both open source and third party)
> and
> >> make this available to everyone who is considering buying a scanner or
> a SAS
> >> service to scan software. The last thing we could do would be to offer
> our own
> >> "seal of approval" if the vendor allowed us to independently test their
> code.
> >> This would also be a great summer of code for some students. We don't
> need
> >> to start big we just need to start. I have never seen an independent
> study of
> >> FindBugs  that is not part of a research paper and compares other
> tools. Just
> >> my two cents.  Hope you all miss the majority of the hurricanes.  Stay
> safe!
> >> Larry
> >>
> >>
> >>
> >>                    On Tue, Aug 5, 2014 at 6:43 PM, Jim
> >> Manico <jim.manico at owasp.org> wrote:
> >>
> >>
> >>                        I personally think OWASP
> >> should go full boar into AppSec professional certification, but there
> are real
> >> obstacles preventing it from happening right now.
> >>
> >>                        1) Votes among our community
> >> have always said "no" to certification
> >>
> >>                        2) The operational overhead
> >> with certification is very significant, and we are in the process of
> rebooting
> >> operations with Virtual, our new HR firm
> >>
> >>                        3) We would be forced to keep
> >> exam questions in secret which is against our bylaws
> >>
> >>                        I think that if Virtual succeeds
> >> in maturing operations as I hope and pray that they do, we might be
> able to
> >> reconsider. But right now I feel we need to put our energies into
> current
> >> efforts.
> >>
> >>                        Respectfully,
> >>                        --
> >>                        Jim Manico
> >>                        @Manicode
> >>                        (808) 652-3805
> >> <tel:%28808%29%20652-3805>
> >>
> >>                        On Aug 5, 2014, at 2:24 PM,
> >> "Timur 'x' Khrotko (owasp)" <timur at owasp.org> wrote:
> >>
> >>
> >>
> >>                            See the item from the
> >> SANS newsletter below. (For my taste the last two sentences in it are
> more
> >> important in principle, and in my perspective the main topic of US
> national
> >> association is obviously ... abstract.) The question is what do you
> think about
> >> OWASP engaging in AppSec specialists' certification? (Probably the
> question is
> >> not new, and we do not follow ISACA deliberately, then please send me a
> link to
> >> some discussion about it.) Wouldn't it be nice to create a methodology
> to train
> >> and examine the AppSec professionals in domains where we supply
> knowledge
> >> and tools (dev, test and ... management)?! (I guess it can make our
> brand more
> >> interesting for the AppSec crowd, bring more money and make
> dissemination
> >> of our tools easier).
> >>
> >>                            ~timur
> >>
> >>
> >>                             --Study Calls for Cyber
> >> Security Professional Organization
> >>                            (July 28 & August 1,
> >> 2014)
> >>                            A study from the Pell
> >> Center at Salve Regina University in Rhode Island
> >>                            acknowledges that
> >> "there are not enough people equipped with the
> >>                            appropriate knowledge,
> >> skills, and abilities to protect the information
> >>                            infrastructure, improve
> >> resilience, and leverage information technology
> >>                            for strategic
> >> advantage." The report "proposes the creation of a
> >>                            national professional
> >> association in cybersecurity to solidify the field
> >>                            as a profession, to
> >> support individuals engaged in this profession, to
> >>                            establish professional
> >> standards, prescribe education and training, and
> >>                            ... to support the public
> >> good."
> >>
> >>    http://pellcenter.salvereginablogs.com/cybersecurity-report-
> >> recommends-path-to-professional-standards-in-cybersecurity-industry/
> >>
> >>    http://www.fiercecio.com/story/pell-study-calls-creation-national-
> >> professional-cybersecurity-association/2014-08-01
> >>                            Study:
> >>
> >>
> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalizatio
> >> n-of-Cybersecurity-7-28-14.pdf
> >>                            [Editor's Note
> >> (Assante): I learned long ago that a people-focused
> >>                            approach to
> >> cybersecurity brings with it the necessary clarity to
> >>                            understand the true
> >> nature of the challenges and establishes a clear
> >>                            framework for
> >> planning, engineering, and implementing measures that can
> >>                            be sustained and built
> >> upon.  We all know of countless organizations
> >>                            that reacted to a
> >> specific incident by implementing
> >>                            outside-expert-
> >> recommended technology only to fail in its deployment and
> >>                            operation.  Getting a
> >> competent handle on cybersecurity means engaging,
> >>                            integrating, equipping
> >> and training people to make the difference.  Our
> >>                            attention should turn to
> >> identifying and enhancing the knowledge and
> >>                            skills of cybersecurity
> >> professionals as a field while involving
> >>                            business architects and
> >> engineers to make cyber-informed decisions.
> >>                            Getting this right sets
> >> the stage for game changing progress in cyber
> >>                            resilience and defense.
> >>                            (Honan): This is
> >> something that I have argued for in the past,
> >>                            http://www.net-
> >> security.org/article.php?id=1842, To me the issue is not
> >>                            one of creating more
> >> qualifications for individuals working in the
> >>                            field, but on the lack of
> >> accountability for those that are practising
> >>                            in the industry but are
> >> providing below par services or products.
> >>                            (Paller): We can do
> >> reliable assessments for the technical roles -
> >>                            forensics, secure
> >> coding, penetration testing, intrusion detection,
> >>                            incident response, etc.
> >> but any attempt to reliably measure skills for
> >>                            security managers and
> >> policy people is hopeless. Why do you think there
> >>                            is no certification for
> >> corporate managers?]
> >>
> >>
> >>
> >>                            Email us to enforce
> >> secure link with your mail servers (domain).
> >>                            This message may
> >> contain confidential information - you should handle it accordingly.
> >>                            Ez a levél bizalmas
> >> információt tartalmazhat, és ekként kezelendő.
> >>
> >>
> >>    _______________________________________________
> >>                            OWASP-Leaders
> >> mailing list
> >>                            OWASP-
> >> Leaders at lists.owasp.org
> >>
> >>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>                        OWASP-Leaders mailing list
> >>                        OWASP-
> >> Leaders at lists.owasp.org
> >>
> >>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>                    OWASP-Leaders mailing list
> >>                    OWASP-Leaders at lists.owasp.org
> >>
> >>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>                OWASP-Leaders mailing list
> >>                OWASP-Leaders at lists.owasp.org
> >>                https://lists.owasp.org/mailman/listinfo/owasp-
> >> leaders
> >>
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>            OWASP-Leaders mailing list
> >>            OWASP-Leaders at lists.owasp.org
> >>            https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140806/8b6fb385/attachment-0001.html>


More information about the OWASP-Leaders mailing list