[Owasp-leaders] professionalizing the cybersecurity workforce // OWASP certification
(P7N) Jason Johnson
jason.johnson at p7n.net
Wed Aug 6 20:27:03 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Crap....I need to get that of my Resume
On August 6, 2014 2:22:05 PM CDT, Jim Manico <jim.manico at owasp.org> wrote:
>I do not doubt that you are a highly experienced ASS, but yes, the
>cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
>some beer.
>
>Aloha,
>-
>Jim Manico
>@Manicode
>(808) 652-3805
>
>On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de>
>wrote:
>
>>> PS: That's the ASS-Cert and it was a hoax. :)
>> Sir! You're saying the "certified ASS" I've got proudly printed on my
>> business cards is a fake :-0? Can't be real.. :)
>>
>> I guess the next beer is on you my Hawaiian friend.
>>
>> Tobias
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jim Manico [mailto:jim.manico at owasp.org]
>>> Gesendet: Mittwoch, 6. August 2014 18:26
>>> An: Tobias Glemser
>>> Cc: owasp-leaders at lists.owasp.org
>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>workforce
>>> //
>>> OWASP certification [ Z1 UNGESICHERT ]
>>>
>>>> Always keep in mind: In 2012 we already had a "Certified
>Application
>>>> Security Specialist" promoted at AppSecDC
>>>
>>> PS: That's the ASS-Cert and it was a hoax. :)
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser
><tobias.glemser at owasp.org>
>>>> wrote:
>>>>
>>>> Hi there,
>>>>
>>>> I fully understand the "why is there no OWASP Sticker, pardon me,
>>>> OWASP Certificate"-question arises year after year. But to quote
>Jim
>>>>
>>>>> 1) Votes among our community have always said "no" to
>certification
>>>> As a community driven organization _this_ is the most relevant
>thing to
>>>> keep
>>> in mind in any discussion. If the participants think we should
>re-think
>>> the topic,
>>> because things change over time: Keep on going.
>>>>
>>>> Always keep in mind: In 2012 we already had a "Certified
>Application
>>>> Security Specialist" promoted at AppSecDC See
>>>>
>http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>>>>
>>>> Tobias
>>>>
>>>>> -----Ursprüngliche Nachricht-----
>>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>>>>> Gesendet: Mittwoch, 6. August 2014 17:17
>>>>> An: Andrew Muller
>>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
>>>>> Khrotko
>>>>> (owasp)
>>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
>>>>>
>>>>> Hi,
>>>>>
>>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO
>IEC
>>>>> 27034 Application Security Controls' (hadn't seen before). Would
>be
>>>>> good to see this catch on.
>>>>>
>>>>> Gary
>>>>>
>>>>>
>>>>>
>>>>> Gary D. Robinson, CISSP
>>>>>
>>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>> Microsoft and ISO kinda beat OWASP to the punch on this one with
>>>>> 27034.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>>>>> <gary.robinson at owasp.org> wrote:
>>>>>
>>>>>
>>>>> Yea instead of cert'ing people or code, can we certify
>>>>> companies SDLCs for security? Just like a company is certified for
>>>>> ISO 9001 or others? Would be great to see things like "Acme is
>OWASP
>>>>> certified for their secure development processes".
>>>>>
>>>>> If BSIMM or OpenSAMM are anything to go by then education of
>>>>> employees will be part of that company SDLC cert.
>>>>>
>>>>> Gary
>>>>>
>>>>> Gary D. Robinson, CISSP
>>>>>
>>>>> On 6 Aug 2014, at 11:36, Andrew Muller
>>>>> <andrew.muller at owasp.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>> OWASP is good at writing guidance (code review guide)
>and
>>>>> standards (ASVS), so I don't think we should pollute the brand
>with
>>>>> certifications. We could possibly look at certifying organisations
>>>>> compliance with these standards but even this stinks of conflict
>and
>>>>> erosion of the OWASP brand.
>>>>>
>>>>>
>>>>> My 2c
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>>>>> <eoin.keary at owasp.org> wrote:
>>>>>
>>>>>
>>>>> Id love to do something like this but I'm unsure if
>>>>> getting students to test production code would warrant any type of
>>>>> robust certification. To certify code / help ensure it is secure,
>we
>>>>> really need to build security in rather than just test.
>>>>> Certification would have to be a combination of
>design
>>>>> review, source code analysis and testing. Similar to asvs level 4?
>>>>> This would take tons of work and require a dedicated
>>>>> experienced assessment team.
>>>>>
>>>>> -ek
>>>>>
>>>>>
>>>>>
>>>>> Eoin Keary
>>>>> Owasp Global Board
>>>>> +353 87 977 2988
>>>>> <tel:%2B353%2087%20977%202988>
>>>>>
>>>>>
>>>>> On 6 Aug 2014, at 02:41, Larry Conklin
>>>>> <larry.conklin at owasp.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi Jim I would also like to see us move into
>>>>> certification but instead of certifying people. I think we should
>>>>> consider software. A certification like what Underwriters
>>>>> Laboratories offers with their "Seal of Approval". We could start
>>>>> small certifying software scanners. We can offer a free
>>>>> application(s) with known vulnerabilities that vendors can run
>their
>>>>> code against to measure how well their scanner finds and reports
>the
>>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby,
>and
>>>>> Javascript. We could also allow members to run their open source
>and
>>>>> third party application against our code base to we could collect
>>>>> comprehensive measurement of the effectiveness of each vendor
>scanner
>>>>> (both open source and third party) and make this available to
>>>>> everyone who is considering buying a scanner or a SAS service to
>scan
>>> software. The last thing we could do would be to offer our own "seal
>of
>>> approval" if the vendor allowed us to independently test their code.
>>>>> This would also be a great summer of code for some students. We
>don't
>>>>> need to start big we just need to start. I have never seen an
>>>>> independent study of FindBugs that is not part of a research
>paper
>>>>> and compares other tools. Just my two cents. Hope you all miss
>the
>>>>> majority
>>> of the hurricanes. Stay safe!
>>>>> Larry
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
>>>>> <jim.manico at owasp.org> wrote:
>>>>>
>>>>>
>>>>> I personally think OWASP should go full boar
>>>>> into AppSec professional certification, but there are real
>obstacles
>>>>> preventing it from happening right now.
>>>>>
>>>>> 1) Votes among our community have always
>said
>>>>> "no" to certification
>>>>>
>>>>> 2) The operational overhead with
>certification
>>>>> is very significant, and we are in the process of rebooting
>>>>> operations with Virtual, our new HR firm
>>>>>
>>>>> 3) We would be forced to keep exam questions
>>>>> in secret which is against our bylaws
>>>>>
>>>>> I think that if Virtual succeeds in maturing
>>>>> operations as I hope and pray that they do, we might be able to
>>>>> reconsider. But right now I feel we need to put our energies into
>>>>> current efforts.
>>>>>
>>>>> Respectfully,
>>>>> --
>>>>> Jim Manico
>>>>> @Manicode
>>>>> (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>>
>>>>> On Aug 5, 2014, at 2:24 PM, "Timur 'x'
>Khrotko
>>>>> (owasp)" <timur at owasp.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>> See the item from the SANS newsletter
>>>>> below. (For my taste the last two sentences in it are more
>important
>>>>> in principle, and in my perspective the main topic of US national
>>>>> association is obviously ... abstract.) The question is what do
>you
>>>>> think about OWASP engaging in AppSec specialists' certification?
>>>>> (Probably the question is not new, and we do not follow ISACA
>>>>> deliberately, then please send me a link to some discussion about
>>>>> it.) Wouldn't it be nice to create a methodology to train and
>examine
>>>>> the AppSec professionals in domains where we supply knowledge and
>>>>> tools (dev, test and ... management)?! (I guess it can make our
>brand
>>>>> more interesting for the AppSec crowd, bring more money and make
>>> dissemination of our tools easier).
>>>>>
>>>>> ~timur
>>>>>
>>>>>
>>>>> --Study Calls for Cyber Security
>>>>> Professional Organization
>>>>> (July 28 & August 1,
>>>>> 2014)
>>>>> A study from the Pell Center at Salve
>>>>> Regina University in Rhode Island
>>>>> acknowledges that "there are not enough
>>>>> people equipped with the
>>>>> appropriate knowledge, skills, and
>>>>> abilities to protect the information
>>>>> infrastructure, improve resilience, and
>>>>> leverage information technology
>>>>> for strategic advantage." The report
>>>>> "proposes the creation of a
>>>>> national professional association in
>>>>> cybersecurity to solidify the field
>>>>> as a profession, to support individuals
>>>>> engaged in this profession, to
>>>>> establish professional standards,
>>>>> prescribe education and training, and
>>>>> ... to support the public good."
>>>>>
>>>>> http://pellcenter.salvereginablogs.com/cybersecurity-report-
>>>>>
>recommends-path-to-professional-standards-in-cybersecurity-industry/
>>>>>
>>>>>
>http://www.fiercecio.com/story/pell-study-calls-creation-national-
>>>>> professional-cybersecurity-association/2014-08-01
>>>>> Study:
>>>>>
>>>>>
>>>>>
>http://pel
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQJDBAEBCgAtBQJT4o+WJhxKYXNvbiBKb2huc29uIDxqYXNvbi5qb2huc29uQHA3
bi5uZXQ+AAoJEESGuCi6L62Mo60QAJ6CdDNbwkiUDW0sC9xecZpqzOGgw8BdoGx6
owrel22CSFgFnWhHmFfd/cHBQhaYwnNV1WAr92tRiQiwGQUitcvjK7C6FoGDA46V
rLC+6EbpRT7PEGzXBlUD4mBZaWzLENhgRsmtwyuo4XKPWOE9nnR61qMFlPFc0nqI
5x8d2FEziI0CNNRHdGh311nWRS4I6XOsXj3o94q41PaziBPROV1UYJ0A8cJegn3U
JbmEBR/fNsmX1LfXwjWGDJpS5Wknd0qndioL1/NBw0p7yP6cVR/Yd3UaV+w/gY1t
x+05MwM3mKoPCSo+RJn6lsp3gK58HEx4qFnMd3JHNJGDK1/4oBNC+FoalTy1fqp1
qk35gdo8OoGcJdkeBv5yt0qESrJDyy1jfRYr4/aL3ASFntfNB7QiUeU+dAyhdhb1
Dvxp76kcTHjycoyxJbxeVck1xv+2MjiVEqfjKNxqysU3Q1RaBv54FDFFLDwnW9xy
m1W6v0q/+5QH/d+47CQG1hBJU+s25hGoEWCNQfTDCvq3bHuUszuL0eDhiu2ffTtg
6z/Tp5kW+Nli/5JqwBjtScEmVgacGvBKb9EQpnv/IZ6mBAh5ax5zz5UeN3Z83ACO
FWjq1bXtskcYpj0mrZ+xFZ/6q60xtBMbfF80SF7gtFU2/mvZOSTs7UmSH4J+C5/x
Eum/vR4p
=8Sf/
-----END PGP SIGNATURE-----
More information about the OWASP-Leaders
mailing list