[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification

Jim Manico jim.manico at owasp.org
Wed Aug 6 19:22:05 UTC 2014


I do not doubt that you are a highly experienced ASS, but yes, the
cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
some beer.

Aloha,
-
Jim Manico
@Manicode
(808) 652-3805

On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de> wrote:

>> PS: That's the ASS-Cert and it was a hoax. :)
> Sir! You're saying the "certified ASS" I've got proudly printed on my
> business cards is a fake :-0? Can't be real.. :)
>
> I guess the next beer is on you my Hawaiian friend.
>
> Tobias
>
>> -----Ursprüngliche Nachricht-----
>> Von: Jim Manico [mailto:jim.manico at owasp.org]
>> Gesendet: Mittwoch, 6. August 2014 18:26
>> An: Tobias Glemser
>> Cc: owasp-leaders at lists.owasp.org
>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity workforce
>> //
>> OWASP certification [ Z1 UNGESICHERT ]
>>
>>> Always keep in mind: In 2012 we already had a "Certified Application
>>> Security Specialist" promoted at AppSecDC
>>
>> PS: That's the ASS-Cert and it was a hoax. :)
>>
>> Aloha,
>> --
>> Jim Manico
>> @Manicode
>> (808) 652-3805
>>
>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser <tobias.glemser at owasp.org>
>>> wrote:
>>>
>>> Hi there,
>>>
>>> I fully understand the "why is there no OWASP Sticker, pardon me,
>>> OWASP Certificate"-question arises year after year. But to quote Jim
>>>
>>>> 1) Votes among our community have always said "no" to certification
>>> As a community driven organization _this_ is the most relevant thing to
>>> keep
>> in mind in any discussion. If the participants think we should re-think
>> the topic,
>> because things change over time: Keep on going.
>>>
>>> Always keep in mind: In 2012 we already had a "Certified Application
>>> Security Specialist" promoted at AppSecDC See
>>> http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>>>
>>> Tobias
>>>
>>>> -----Ursprüngliche Nachricht-----
>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>>>> Gesendet: Mittwoch, 6. August 2014 17:17
>>>> An: Andrew Muller
>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
>>>> Khrotko
>>>> (owasp)
>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
>>>>
>>>> Hi,
>>>>
>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO IEC
>>>> 27034 Application Security Controls' (hadn't seen before).  Would be
>>>> good to see this catch on.
>>>>
>>>> Gary
>>>>
>>>>
>>>>
>>>> Gary D. Robinson, CISSP
>>>>
>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
>> wrote:
>>>>
>>>>
>>>>
>>>>   Microsoft and ISO kinda beat OWASP to the punch on this one with
>>>> 27034.
>>>>
>>>>
>>>>
>>>>   On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>>>> <gary.robinson at owasp.org> wrote:
>>>>
>>>>
>>>>       Yea instead of cert'ing people or code, can we certify
>>>> companies SDLCs for security? Just like a company is certified for
>>>> ISO 9001 or others? Would be great to see things like "Acme is OWASP
>>>> certified for their secure development processes".
>>>>
>>>>       If BSIMM or OpenSAMM are anything to go by then education of
>>>> employees will be part of that company SDLC cert.
>>>>
>>>>       Gary
>>>>
>>>>       Gary D. Robinson, CISSP
>>>>
>>>>       On 6 Aug 2014, at 11:36, Andrew Muller
>>>> <andrew.muller at owasp.org> wrote:
>>>>
>>>>
>>>>
>>>>           OWASP is good at writing guidance (code review guide) and
>>>> standards (ASVS), so I don't think we should pollute the brand with
>>>> certifications. We could possibly look at certifying organisations
>>>> compliance with these standards but even this stinks of conflict and
>>>> erosion of the OWASP brand.
>>>>
>>>>
>>>>           My 2c
>>>>
>>>>
>>>>
>>>>           On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>>>> <eoin.keary at owasp.org> wrote:
>>>>
>>>>
>>>>               Id love to do something like this but I'm unsure if
>>>> getting students to test production code would warrant any type of
>>>> robust certification. To certify code / help ensure it is secure, we
>>>> really need to build security in rather than just test.
>>>>               Certification would have to be a combination of design
>>>> review, source code analysis and testing. Similar to asvs level 4?
>>>>               This would take tons of work and require a dedicated
>>>> experienced assessment team.
>>>>
>>>>               -ek
>>>>
>>>>
>>>>
>>>>               Eoin Keary
>>>>               Owasp Global Board
>>>>               +353 87 977 2988
>>>> <tel:%2B353%2087%20977%202988>
>>>>
>>>>
>>>>               On 6 Aug 2014, at 02:41, Larry Conklin
>>>> <larry.conklin at owasp.org> wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>                   Hi Jim I would also like to see us move into
>>>> certification but instead of certifying people. I think we should
>>>> consider software. A certification like what Underwriters
>>>> Laboratories offers with  their "Seal of Approval". We could start
>>>> small certifying software scanners. We can offer a free
>>>> application(s) with known vulnerabilities that vendors can run their
>>>> code against to measure how well their scanner finds and reports the
>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby, and
>>>> Javascript. We could also allow members to run their open source and
>>>> third party application against our code base to we could collect
>>>> comprehensive measurement of the effectiveness of each vendor scanner
>>>> (both open source and third party) and make this available to
>>>> everyone who is considering buying a scanner or a SAS service to scan
>> software. The last thing we could do would be to offer our own "seal of
>> approval" if the vendor allowed us to independently test their code.
>>>> This would also be a great summer of code for some students. We don't
>>>> need to start big we just need to start. I have never seen an
>>>> independent study of FindBugs  that is not part of a research paper
>>>> and compares other tools. Just my two cents.  Hope you all miss the
>>>> majority
>> of the hurricanes.  Stay safe!
>>>> Larry
>>>>
>>>>
>>>>
>>>>                   On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
>>>> <jim.manico at owasp.org> wrote:
>>>>
>>>>
>>>>                       I personally think OWASP should go full boar
>>>> into AppSec professional certification, but there are real obstacles
>>>> preventing it from happening right now.
>>>>
>>>>                       1) Votes among our community have always said
>>>> "no" to certification
>>>>
>>>>                       2) The operational overhead with certification
>>>> is very significant, and we are in the process of rebooting
>>>> operations with Virtual, our new HR firm
>>>>
>>>>                       3) We would be forced to keep exam questions
>>>> in secret which is against our bylaws
>>>>
>>>>                       I think that if Virtual succeeds in maturing
>>>> operations as I hope and pray that they do, we might be able to
>>>> reconsider. But right now I feel we need to put our energies into
>>>> current efforts.
>>>>
>>>>                       Respectfully,
>>>>                       --
>>>>                       Jim Manico
>>>>                       @Manicode
>>>>                       (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>
>>>>                       On Aug 5, 2014, at 2:24 PM, "Timur 'x' Khrotko
>>>> (owasp)" <timur at owasp.org> wrote:
>>>>
>>>>
>>>>
>>>>                           See the item from the SANS newsletter
>>>> below. (For my taste the last two sentences in it are more important
>>>> in principle, and in my perspective the main topic of US national
>>>> association is obviously ... abstract.) The question is what do you
>>>> think about OWASP engaging in AppSec specialists' certification?
>>>> (Probably the question is not new, and we do not follow ISACA
>>>> deliberately, then please send me a link to some discussion about
>>>> it.) Wouldn't it be nice to create a methodology to train and examine
>>>> the AppSec professionals in domains where we supply knowledge and
>>>> tools (dev, test and ... management)?! (I guess it can make our brand
>>>> more interesting for the AppSec crowd, bring more money and make
>> dissemination of our tools easier).
>>>>
>>>>                           ~timur
>>>>
>>>>
>>>>                            --Study Calls for Cyber Security
>>>> Professional Organization
>>>>                           (July 28 & August 1,
>>>> 2014)
>>>>                           A study from the Pell Center at Salve
>>>> Regina University in Rhode Island
>>>>                           acknowledges that "there are not enough
>>>> people equipped with the
>>>>                           appropriate knowledge, skills, and
>>>> abilities to protect the information
>>>>                           infrastructure, improve resilience, and
>>>> leverage information technology
>>>>                           for strategic advantage." The report
>>>> "proposes the creation of a
>>>>                           national professional association in
>>>> cybersecurity to solidify the field
>>>>                           as a profession, to support individuals
>>>> engaged in this profession, to
>>>>                           establish professional standards,
>>>> prescribe education and training, and
>>>>                           ... to support the public good."
>>>>
>>>>   http://pellcenter.salvereginablogs.com/cybersecurity-report-
>>>> recommends-path-to-professional-standards-in-cybersecurity-industry/
>>>>
>>>>   http://www.fiercecio.com/story/pell-study-calls-creation-national-
>>>> professional-cybersecurity-association/2014-08-01
>>>>                           Study:
>>>>
>>>>
>>>> http://pellcenter.salvereginablogs.com/files/2014/07/Professionalizat
>>>> io
>>>> n-of-Cybersecurity-7-28-14.pdf
>>>>                           [Editor's Note
>>>> (Assante): I learned long ago that a people-focused
>>>>                           approach to cybersecurity brings with it
>>>> the necessary clarity to
>>>>                           understand the true nature of the
>>>> challenges and establishes a clear
>>>>                           framework for planning, engineering, and
>>>> implementing measures that can
>>>>                           be sustained and built upon.  We all know
>>>> of countless organizations
>>>>                           that reacted to a specific incident by
>>>> implementing
>>>>                           outside-expert- recommended technology
>>>> only to fail in its deployment and
>>>>                           operation.  Getting a competent handle on
>>>> cybersecurity means engaging,
>>>>                           integrating, equipping and training people
>>>> to make the difference.  Our
>>>>                           attention should turn to identifying and
>>>> enhancing the knowledge and
>>>>                           skills of cybersecurity professionals as a
>>>> field while involving
>>>>                           business architects and engineers to make
>>>> cyber-informed decisions.
>>>>                           Getting this right sets the stage for game
>>>> changing progress in cyber
>>>>                           resilience and defense.
>>>>                           (Honan): This is something that I have
>>>> argued for in the past,
>>>>                           http://www.net-
>>>> security.org/article.php?id=1842, To me the issue is not
>>>>                           one of creating more qualifications for
>>>> individuals working in the
>>>>                           field, but on the lack of accountability
>>>> for those that are practising
>>>>                           in the industry but are providing below
>>>> par services or products.
>>>>                           (Paller): We can do reliable assessments
>>>> for the technical roles -
>>>>                           forensics, secure coding, penetration
>>>> testing, intrusion detection,
>>>>                           incident response, etc.
>>>> but any attempt to reliably measure skills for
>>>>                           security managers and policy people is
>>>> hopeless. Why do you think there
>>>>                           is no certification for corporate
>>>> managers?]
>>>>
>>>>
>>>>
>>>>                           Email us to enforce secure link with your
>>>> mail servers (domain).
>>>>                           This message may contain confidential
>>>> information - you should handle it accordingly.
>>>>                           Ez a levél bizalmas információt
>>>> tartalmazhat, és ekként kezelendő.
>>>>
>>>>
>>>>   _______________________________________________
>>>>                           OWASP-Leaders mailing list
>>>>                           OWASP-
>>>> Leaders at lists.owasp.org
>>>>
>>>>   https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>>   _______________________________________________
>>>>                       OWASP-Leaders mailing list
>>>>                       OWASP-
>>>> Leaders at lists.owasp.org
>>>>
>>>>   https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>   _______________________________________________
>>>>                   OWASP-Leaders mailing list
>>>>                   OWASP-Leaders at lists.owasp.org
>>>>
>>>>   https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>>   _______________________________________________
>>>>               OWASP-Leaders mailing list
>>>>               OWASP-Leaders at lists.owasp.org
>>>>               https://lists.owasp.org/mailman/listinfo/owasp-
>>>> leaders
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>   _______________________________________________
>>>>           OWASP-Leaders mailing list
>>>>           OWASP-Leaders at lists.owasp.org
>>>>           https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders


More information about the OWASP-Leaders mailing list