[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Tobias Glemser tobias.glemser at owasp.org
Wed Aug 6 18:48:51 UTC 2014


> PS: That's the ASS-Cert and it was a hoax. :)
Sir! You're saying the "certified ASS" I've got proudly printed on my business cards is a fake :-0? Can't be real.. :)

I guess the next beer is on you my Hawaiian friend.

Tobias

> -----Ursprüngliche Nachricht-----
> Von: Jim Manico [mailto:jim.manico at owasp.org]
> Gesendet: Mittwoch, 6. August 2014 18:26
> An: Tobias Glemser
> Cc: owasp-leaders at lists.owasp.org
> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity workforce //
> OWASP certification [ Z1 UNGESICHERT ]
> 
> > Always keep in mind: In 2012 we already had a "Certified Application
> > Security Specialist" promoted at AppSecDC
> 
> PS: That's the ASS-Cert and it was a hoax. :)
> 
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> 
> > On Aug 6, 2014, at 8:33 AM, Tobias Glemser <tobias.glemser at owasp.org>
> wrote:
> >
> > Hi there,
> >
> > I fully understand the "why is there no OWASP Sticker, pardon me,
> > OWASP Certificate"-question arises year after year. But to quote Jim
> >
> >> 1) Votes among our community have always said "no" to certification
> > As a community driven organization _this_ is the most relevant thing to keep
> in mind in any discussion. If the participants think we should re-think the topic,
> because things change over time: Keep on going.
> >
> > Always keep in mind: In 2012 we already had a "Certified Application
> > Security Specialist" promoted at AppSecDC See
> > http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
> >
> > Tobias
> >
> >> -----Ursprüngliche Nachricht-----
> >> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> >> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
> >> Gesendet: Mittwoch, 6. August 2014 17:17
> >> An: Andrew Muller
> >> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
> >> Khrotko
> >> (owasp)
> >> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
> >> workforce // OWASP certification [ Z1 UNGESICHERT ]
> >>
> >> Hi,
> >>
> >> Good point on ISO 27034, and I see we have a project 'OWASP ISO IEC
> >> 27034 Application Security Controls' (hadn't seen before).  Would be
> >> good to see this catch on.
> >>
> >> Gary
> >>
> >>
> >>
> >> Gary D. Robinson, CISSP
> >>
> >> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
> wrote:
> >>
> >>
> >>
> >>    Microsoft and ISO kinda beat OWASP to the punch on this one with
> >> 27034.
> >>
> >>
> >>
> >>    On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
> >> <gary.robinson at owasp.org> wrote:
> >>
> >>
> >>        Yea instead of cert'ing people or code, can we certify
> >> companies SDLCs for security? Just like a company is certified for
> >> ISO 9001 or others? Would be great to see things like "Acme is OWASP
> >> certified for their secure development processes".
> >>
> >>        If BSIMM or OpenSAMM are anything to go by then education of
> >> employees will be part of that company SDLC cert.
> >>
> >>        Gary
> >>
> >>        Gary D. Robinson, CISSP
> >>
> >>        On 6 Aug 2014, at 11:36, Andrew Muller
> >> <andrew.muller at owasp.org> wrote:
> >>
> >>
> >>
> >>            OWASP is good at writing guidance (code review guide) and
> >> standards (ASVS), so I don't think we should pollute the brand with
> >> certifications. We could possibly look at certifying organisations
> >> compliance with these standards but even this stinks of conflict and
> >> erosion of the OWASP brand.
> >>
> >>
> >>            My 2c
> >>
> >>
> >>
> >>            On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
> >> <eoin.keary at owasp.org> wrote:
> >>
> >>
> >>                Id love to do something like this but I'm unsure if
> >> getting students to test production code would warrant any type of
> >> robust certification. To certify code / help ensure it is secure, we
> >> really need to build security in rather than just test.
> >>                Certification would have to be a combination of design
> >> review, source code analysis and testing. Similar to asvs level 4?
> >>                This would take tons of work and require a dedicated
> >> experienced assessment team.
> >>
> >>                -ek
> >>
> >>
> >>
> >>                Eoin Keary
> >>                Owasp Global Board
> >>                +353 87 977 2988
> >> <tel:%2B353%2087%20977%202988>
> >>
> >>
> >>                On 6 Aug 2014, at 02:41, Larry Conklin
> >> <larry.conklin at owasp.org> wrote:
> >>
> >>
> >>
> >>
> >>
> >>                    Hi Jim I would also like to see us move into
> >> certification but instead of certifying people. I think we should
> >> consider software. A certification like what Underwriters
> >> Laboratories offers with  their "Seal of Approval". We could start
> >> small certifying software scanners. We can offer a free
> >> application(s) with known vulnerabilities that vendors can run their
> >> code against to measure how well their scanner finds and reports the
> >> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and
> >> Javascript. We could also allow members to run their open source and
> >> third party application against our code base to we could collect
> >> comprehensive measurement of the effectiveness of each vendor scanner
> >> (both open source and third party) and make this available to
> >> everyone who is considering buying a scanner or a SAS service to scan
> software. The last thing we could do would be to offer our own "seal of
> approval" if the vendor allowed us to independently test their code.
> >> This would also be a great summer of code for some students. We don't
> >> need to start big we just need to start. I have never seen an
> >> independent study of FindBugs  that is not part of a research paper
> >> and compares other tools. Just my two cents.  Hope you all miss the majority
> of the hurricanes.  Stay safe!
> >> Larry
> >>
> >>
> >>
> >>                    On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
> >> <jim.manico at owasp.org> wrote:
> >>
> >>
> >>                        I personally think OWASP should go full boar
> >> into AppSec professional certification, but there are real obstacles
> >> preventing it from happening right now.
> >>
> >>                        1) Votes among our community have always said
> >> "no" to certification
> >>
> >>                        2) The operational overhead with certification
> >> is very significant, and we are in the process of rebooting
> >> operations with Virtual, our new HR firm
> >>
> >>                        3) We would be forced to keep exam questions
> >> in secret which is against our bylaws
> >>
> >>                        I think that if Virtual succeeds in maturing
> >> operations as I hope and pray that they do, we might be able to
> >> reconsider. But right now I feel we need to put our energies into
> >> current efforts.
> >>
> >>                        Respectfully,
> >>                        --
> >>                        Jim Manico
> >>                        @Manicode
> >>                        (808) 652-3805 <tel:%28808%29%20652-3805>
> >>
> >>                        On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko
> >> (owasp)" <timur at owasp.org> wrote:
> >>
> >>
> >>
> >>                            See the item from the SANS newsletter
> >> below. (For my taste the last two sentences in it are more important
> >> in principle, and in my perspective the main topic of US national
> >> association is obviously ... abstract.) The question is what do you
> >> think about OWASP engaging in AppSec specialists' certification?
> >> (Probably the question is not new, and we do not follow ISACA
> >> deliberately, then please send me a link to some discussion about
> >> it.) Wouldn't it be nice to create a methodology to train and examine
> >> the AppSec professionals in domains where we supply knowledge and
> >> tools (dev, test and ... management)?! (I guess it can make our brand
> >> more interesting for the AppSec crowd, bring more money and make
> dissemination of our tools easier).
> >>
> >>                            ~timur
> >>
> >>
> >>                             --Study Calls for Cyber Security
> >> Professional Organization
> >>                            (July 28 & August 1,
> >> 2014)
> >>                            A study from the Pell Center at Salve
> >> Regina University in Rhode Island
> >>                            acknowledges that "there are not enough
> >> people equipped with the
> >>                            appropriate knowledge, skills, and
> >> abilities to protect the information
> >>                            infrastructure, improve resilience, and
> >> leverage information technology
> >>                            for strategic advantage." The report
> >> "proposes the creation of a
> >>                            national professional association in
> >> cybersecurity to solidify the field
> >>                            as a profession, to support individuals
> >> engaged in this profession, to
> >>                            establish professional standards,
> >> prescribe education and training, and
> >>                            ... to support the public good."
> >>
> >>    http://pellcenter.salvereginablogs.com/cybersecurity-report-
> >> recommends-path-to-professional-standards-in-cybersecurity-industry/
> >>
> >>    http://www.fiercecio.com/story/pell-study-calls-creation-national-
> >> professional-cybersecurity-association/2014-08-01
> >>                            Study:
> >>
> >>
> >> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalizat
> >> io
> >> n-of-Cybersecurity-7-28-14.pdf
> >>                            [Editor's Note
> >> (Assante): I learned long ago that a people-focused
> >>                            approach to cybersecurity brings with it
> >> the necessary clarity to
> >>                            understand the true nature of the
> >> challenges and establishes a clear
> >>                            framework for planning, engineering, and
> >> implementing measures that can
> >>                            be sustained and built upon.  We all know
> >> of countless organizations
> >>                            that reacted to a specific incident by
> >> implementing
> >>                            outside-expert- recommended technology
> >> only to fail in its deployment and
> >>                            operation.  Getting a competent handle on
> >> cybersecurity means engaging,
> >>                            integrating, equipping and training people
> >> to make the difference.  Our
> >>                            attention should turn to identifying and
> >> enhancing the knowledge and
> >>                            skills of cybersecurity professionals as a
> >> field while involving
> >>                            business architects and engineers to make
> >> cyber-informed decisions.
> >>                            Getting this right sets the stage for game
> >> changing progress in cyber
> >>                            resilience and defense.
> >>                            (Honan): This is something that I have
> >> argued for in the past,
> >>                            http://www.net-
> >> security.org/article.php?id=1842, To me the issue is not
> >>                            one of creating more qualifications for
> >> individuals working in the
> >>                            field, but on the lack of accountability
> >> for those that are practising
> >>                            in the industry but are providing below
> >> par services or products.
> >>                            (Paller): We can do reliable assessments
> >> for the technical roles -
> >>                            forensics, secure coding, penetration
> >> testing, intrusion detection,
> >>                            incident response, etc.
> >> but any attempt to reliably measure skills for
> >>                            security managers and policy people is
> >> hopeless. Why do you think there
> >>                            is no certification for corporate
> >> managers?]
> >>
> >>
> >>
> >>                            Email us to enforce secure link with your
> >> mail servers (domain).
> >>                            This message may contain confidential
> >> information - you should handle it accordingly.
> >>                            Ez a levél bizalmas információt
> >> tartalmazhat, és ekként kezelendő.
> >>
> >>
> >>    _______________________________________________
> >>                            OWASP-Leaders mailing list
> >>                            OWASP-
> >> Leaders at lists.owasp.org
> >>
> >>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>                        OWASP-Leaders mailing list
> >>                        OWASP-
> >> Leaders at lists.owasp.org
> >>
> >>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>                    OWASP-Leaders mailing list
> >>                    OWASP-Leaders at lists.owasp.org
> >>
> >>    https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>                OWASP-Leaders mailing list
> >>                OWASP-Leaders at lists.owasp.org
> >>                https://lists.owasp.org/mailman/listinfo/owasp-
> >> leaders
> >>
> >>
> >>
> >>
> >>
> >>    _______________________________________________
> >>            OWASP-Leaders mailing list
> >>            OWASP-Leaders at lists.owasp.org
> >>            https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >>
> >>
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders



More information about the OWASP-Leaders mailing list