[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Andre Gironda andre at operations.net
Wed Aug 6 18:59:51 UTC 2014


As far as questions go, most IT certifications have been enumerated
anyways. You can find the real questions and answered online.

For OWASP, perhaps we do the same: provide the questions and answers to the
public. The issue then becomes building a set list of 13k of these q&a's.
Nobody is willing to build such a massive platform. Assuming some person or
group does, it may take them several years.

Best,
Andre
 On Aug 5, 2014 4:48 PM, "Jim Manico" <jim.manico at owasp.org> wrote:

> I personally think OWASP should go full boar into AppSec professional
> certification, but there are real obstacles preventing it from happening
> right now.
>
> 1) Votes among our community have always said "no" to certification
>
> 2) The operational overhead with certification is very significant, and we
> are in the process of rebooting operations with Virtual, our new HR firm
>
> 3) We would be forced to keep exam questions in secret which is against
> our bylaws
>
> I think that if Virtual succeeds in maturing operations as I hope and pray
> that they do, we might be able to reconsider. But right now I feel we need
> to put our energies into current efforts.
>
> Respectfully,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko (owasp)" <timur at owasp.org>
> wrote:
>
> See the item from the SANS newsletter below. (For my taste the last two
> sentences in it are more important in principle, and in my perspective the
> main topic of US national association is obviously ... abstract.) The
> question is *what do you think about OWASP engaging in AppSec
> specialists' certification*? (Probably the question is not new, and we do
> not follow ISACA deliberately, then please send me a link to some
> discussion about it.) Wouldn't it be nice to create a methodology to train
> and examine the AppSec professionals in domains where we supply knowledge
> and tools (dev, test and ... management)?! (I guess it can make our brand
> more interesting for the AppSec crowd, bring more money and make
> dissemination of our tools easier).
>
> ~timur
>
>  --Study Calls for Cyber Security Professional Organization
> (July 28 & August 1, 2014)
> A study from the Pell Center at Salve Regina University in Rhode Island
> acknowledges that "there are not enough people equipped with the
> appropriate knowledge, skills, and abilities to protect the information
> infrastructure, improve resilience, and leverage information technology
> for strategic advantage." The report "proposes the creation of a
> national professional association in cybersecurity to solidify the field
> as a profession, to support individuals engaged in this profession, to
> establish professional standards, prescribe education and training, and
> ... to support the public good."
>
> http://pellcenter.salvereginablogs.com/cybersecurity-report-recommends-path-to-professional-standards-in-cybersecurity-industry/
>
> http://www.fiercecio.com/story/pell-study-calls-creation-national-professional-cybersecurity-association/2014-08-01
> Study:
>
> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalization-of-Cybersecurity-7-28-14.pdf
> [Editor's Note (Assante): I learned long ago that a people-focused
> approach to cybersecurity brings with it the necessary clarity to
> understand the true nature of the challenges and establishes a clear
> framework for planning, engineering, and implementing measures that can
> be sustained and built upon.  We all know of countless organizations
> that reacted to a specific incident by implementing
> outside-expert-recommended technology only to fail in its deployment and
> operation.  Getting a competent handle on cybersecurity means engaging,
> integrating, equipping and training people to make the difference.  Our
> attention should turn to identifying and enhancing the knowledge and
> skills of cybersecurity professionals as a field while involving
> business architects and engineers to make cyber-informed decisions.
> Getting this right sets the stage for game changing progress in cyber
> resilience and defense.
> (Honan): This is something that I have argued for in the past,
> http://www.net-security.org/article.php?id=1842, To me the issue is not
> one of creating more qualifications for individuals working in the
> field, but on the lack of accountability for those that are practising
> in the industry but are providing below par services or products.
> (Paller): We can do reliable assessments for the technical roles -
> forensics, secure coding, penetration testing, intrusion detection,
> incident response, etc. *but any attempt to reliably measure skills for*
> *security managers and policy people is hopeless*. Why do you think there
> is no certification for corporate managers?]
>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140806/1f0e13f8/attachment-0001.html>


More information about the OWASP-Leaders mailing list