[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification
Jim Manico
jim.manico at owasp.org
Wed Aug 6 19:22:05 UTC 2014
I do not doubt that you are a highly experienced ASS, but yes, the
cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
some beer.
Aloha,
-
Jim Manico
@Manicode
(808) 652-3805
On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de> wrote:
>> PS: That's the ASS-Cert and it was a hoax. :)
> Sir! You're saying the "certified ASS" I've got proudly printed on my
> business cards is a fake :-0? Can't be real.. :)
>
> I guess the next beer is on you my Hawaiian friend.
>
> Tobias
>
>> -----Ursprüngliche Nachricht-----
>> Von: Jim Manico [mailto:jim.manico at owasp.org]
>> Gesendet: Mittwoch, 6. August 2014 18:26
>> An: Tobias Glemser
>> Cc: owasp-leaders at lists.owasp.org
>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity workforce
>> //
>> OWASP certification [ Z1 UNGESICHERT ]
>>
>>> Always keep in mind: In 2012 we already had a "Certified Application
>>> Security Specialist" promoted at AppSecDC
>>
>> PS: That's the ASS-Cert and it was a hoax. :)
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser <tobias.glemser at owasp.org>
>>> wrote:
>>>
>>> Hi there,
>>>
>>> I fully understand the "why is there no OWASP Sticker, pardon me,
>>> OWASP Certificate"-question arises year after year. But to quote Jim
>>>
>>>> 1) Votes among our community have always said "no" to certification
>>> As a community driven organization _this_ is the most relevant thing to
>>> keep
>> in mind in any discussion. If the participants think we should re-think
>> the topic,
>> because things change over time: Keep on going.
>>>
>>> Always keep in mind: In 2012 we already had a "Certified Application
>>> Security Specialist" promoted at AppSecDC See
>>> http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>>>
>>> Tobias
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>>>> Gesendet: Mittwoch, 6. August 2014 17:17
>>>> An: Andrew Muller
>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
>>>> Khrotko
>>>> (owasp)
>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
>>>>
>>>> Hi,
>>>>
>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO IEC
>>>> 27034 Application Security Controls' (hadn't seen before). Would be
>>>> good to see this catch on.
>>>>
>>>> Gary
>>>>
>>>>
>>>>
>>>> Gary D. Robinson, CISSP
>>>>
>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
>> wrote:
>>>>
>>>>
>>>>
>>>> Microsoft and ISO kinda beat OWASP to the punch on this one with
>>>> 27034.
>>>>
>>>>
>>>>
>>>> On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>>>> <gary.robinson at owasp.org> wrote:
>>>>
>>>>
>>>> Yea instead of cert'ing people or code, can we certify
>>>> companies SDLCs for security? Just like a company is certified for
>>>> ISO 9001 or others? Would be great to see things like "Acme is OWASP
>>>> certified for their secure development processes".
>>>>
>>>> If BSIMM or OpenSAMM are anything to go by then education of
>>>> employees will be part of that company SDLC cert.
>>>>
>>>> Gary
>>>>
>>>> Gary D. Robinson, CISSP
>>>>
>>>> On 6 Aug 2014, at 11:36, Andrew Muller
>>>> <andrew.muller at owasp.org> wrote:
>>>>
>>>>
>>>>
>>>> OWASP is good at writing guidance (code review guide) and
>>>> standards (ASVS), so I don't think we should pollute the brand with
>>>> certifications. We could possibly look at certifying organisations
>>>> compliance with these standards but even this stinks of conflict and
>>>> erosion of the OWASP brand.
>>>>
>>>>
>>>> My 2c
>>>>
>>>>
>>>>
>>>> On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>>>> <eoin.keary at owasp.org> wrote:
>>>>
>>>>
>>>> Id love to do something like this but I'm unsure if
>>>> getting students to test production code would warrant any type of
>>>> robust certification. To certify code / help ensure it is secure, we
>>>> really need to build security in rather than just test.
>>>> Certification would have to be a combination of design
>>>> review, source code analysis and testing. Similar to asvs level 4?
>>>> This would take tons of work and require a dedicated
>>>> experienced assessment team.
>>>>
>>>> -ek
>>>>
>>>>
>>>>
>>>> Eoin Keary
>>>> Owasp Global Board
>>>> +353 87 977 2988
>>>> <tel:%2B353%2087%20977%202988>
>>>>
>>>>
>>>> On 6 Aug 2014, at 02:41, Larry Conklin
>>>> <larry.conklin at owasp.org> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi Jim I would also like to see us move into
>>>> certification but instead of certifying people. I think we should
>>>> consider software. A certification like what Underwriters
>>>> Laboratories offers with their "Seal of Approval". We could start
>>>> small certifying software scanners. We can offer a free
>>>> application(s) with known vulnerabilities that vendors can run their
>>>> code against to measure how well their scanner finds and reports the
>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and
>>>> Javascript. We could also allow members to run their open source and
>>>> third party application against our code base to we could collect
>>>> comprehensive measurement of the effectiveness of each vendor scanner
>>>> (both open source and third party) and make this available to
>>>> everyone who is considering buying a scanner or a SAS service to scan
>> software. The last thing we could do would be to offer our own "seal of
>> approval" if the vendor allowed us to independently test their code.
>>>> This would also be a great summer of code for some students. We don't
>>>> need to start big we just need to start. I have never seen an
>>>> independent study of FindBugs that is not part of a research paper
>>>> and compares other tools. Just my two cents. Hope you all miss the
>>>> majority
>> of the hurricanes. Stay safe!
>>>> Larry
>>>>
>>>>
>>>>
>>>> On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
>>>> <jim.manico at owasp.org> wrote:
>>>>
>>>>
>>>> I personally think OWASP should go full boar
>>>> into AppSec professional certification, but there are real obstacles
>>>> preventing it from happening right now.
>>>>
>>>> 1) Votes among our community have always said
>>>> "no" to certification
>>>>
>>>> 2) The operational overhead with certification
>>>> is very significant, and we are in the process of rebooting
>>>> operations with Virtual, our new HR firm
>>>>
>>>> 3) We would be forced to keep exam questions
>>>> in secret which is against our bylaws
>>>>
>>>> I think that if Virtual succeeds in maturing
>>>> operations as I hope and pray that they do, we might be able to
>>>> reconsider. But right now I feel we need to put our energies into
>>>> current efforts.
>>>>
>>>> Respectfully,
>>>> --
>>>> Jim Manico
>>>> @Manicode
>>>> (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>
>>>> On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko
>>>> (owasp)" <timur at owasp.org> wrote:
>>>>
>>>>
>>>>
>>>> See the item from the SANS newsletter
>>>> below. (For my taste the last two sentences in it are more important
>>>> in principle, and in my perspective the main topic of US national
>>>> association is obviously ... abstract.) The question is what do you
>>>> think about OWASP engaging in AppSec specialists' certification?
>>>> (Probably the question is not new, and we do not follow ISACA
>>>> deliberately, then please send me a link to some discussion about
>>>> it.) Wouldn't it be nice to create a methodology to train and examine
>>>> the AppSec professionals in domains where we supply knowledge and
>>>> tools (dev, test and ... management)?! (I guess it can make our brand
>>>> more interesting for the AppSec crowd, bring more money and make
>> dissemination of our tools easier).
>>>>
>>>> ~timur
>>>>
>>>>
>>>> --Study Calls for Cyber Security
>>>> Professional Organization
>>>> (July 28 & August 1,
>>>> 2014)
>>>> A study from the Pell Center at Salve
>>>> Regina University in Rhode Island
>>>> acknowledges that "there are not enough
>>>> people equipped with the
>>>> appropriate knowledge, skills, and
>>>> abilities to protect the information
>>>> infrastructure, improve resilience, and
>>>> leverage information technology
>>>> for strategic advantage." The report
>>>> "proposes the creation of a
>>>> national professional association in
>>>> cybersecurity to solidify the field
>>>> as a profession, to support individuals
>>>> engaged in this profession, to
>>>> establish professional standards,
>>>> prescribe education and training, and
>>>> ... to support the public good."
>>>>
>>>> http://pellcenter.salvereginablogs.com/cybersecurity-report-
>>>> recommends-path-to-professional-standards-in-cybersecurity-industry/
>>>>
>>>> http://www.fiercecio.com/story/pell-study-calls-creation-national-
>>>> professional-cybersecurity-association/2014-08-01
>>>> Study:
>>>>
>>>>
>>>> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalizat
>>>> io
>>>> n-of-Cybersecurity-7-28-14.pdf
>>>> [Editor's Note
>>>> (Assante): I learned long ago that a people-focused
>>>> approach to cybersecurity brings with it
>>>> the necessary clarity to
>>>> understand the true nature of the
>>>> challenges and establishes a clear
>>>> framework for planning, engineering, and
>>>> implementing measures that can
>>>> be sustained and built upon. We all know
>>>> of countless organizations
>>>> that reacted to a specific incident by
>>>> implementing
>>>> outside-expert- recommended technology
>>>> only to fail in its deployment and
>>>> operation. Getting a competent handle on
>>>> cybersecurity means engaging,
>>>> integrating, equipping and training people
>>>> to make the difference. Our
>>>> attention should turn to identifying and
>>>> enhancing the knowledge and
>>>> skills of cybersecurity professionals as a
>>>> field while involving
>>>> business architects and engineers to make
>>>> cyber-informed decisions.
>>>> Getting this right sets the stage for game
>>>> changing progress in cyber
>>>> resilience and defense.
>>>> (Honan): This is something that I have
>>>> argued for in the past,
>>>> http://www.net-
>>>> security.org/article.php?id=1842, To me the issue is not
>>>> one of creating more qualifications for
>>>> individuals working in the
>>>> field, but on the lack of accountability
>>>> for those that are practising
>>>> in the industry but are providing below
>>>> par services or products.
>>>> (Paller): We can do reliable assessments
>>>> for the technical roles -
>>>> forensics, secure coding, penetration
>>>> testing, intrusion detection,
>>>> incident response, etc.
>>>> but any attempt to reliably measure skills for
>>>> security managers and policy people is
>>>> hopeless. Why do you think there
>>>> is no certification for corporate
>>>> managers?]
>>>>
>>>>
>>>>
>>>> Email us to enforce secure link with your
>>>> mail servers (domain).
>>>> This message may contain confidential
>>>> information - you should handle it accordingly.
>>>> Ez a levél bizalmas információt
>>>> tartalmazhat, és ekként kezelendő.
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-
>>>> Leaders at lists.owasp.org
>>>>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-
>>>> Leaders at lists.owasp.org
>>>>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>>
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-
>>>> leaders
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
More information about the OWASP-Leaders
mailing list