[Owasp-leaders] professionalizing the cybersecurity workforce //OWASP certification

Donald don.gooden at gmail.com
Thu Aug 7 01:20:43 UTC 2014


You guys are funny...

Thanks for the laugh...

Enjoy it...

D

-----Original Message-----
From: "(P7N) Jason Johnson" <jason.johnson at p7n.net>
Sent: ‎8/‎6/‎2014 4:33 PM
To: "Jim Manico" <jim.manico at owasp.org>; "Tobias Glemser" <tglemser at secuvera.de>
Cc: "owasp-leaders at lists.owasp.org" <owasp-leaders at lists.owasp.org>
Subject: Re: [Owasp-leaders] professionalizing the cybersecurity workforce //OWASP certification

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Crap....I need to get that of my Resume

On August 6, 2014 2:22:05 PM CDT, Jim Manico <jim.manico at owasp.org> wrote:
>I do not doubt that you are a highly experienced ASS, but yes, the
>cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
>some beer.
>
>Aloha,
>-
>Jim Manico
>@Manicode
>(808) 652-3805
>
>On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de>
>wrote:
>
>>> PS: That's the ASS-Cert and it was a hoax. :)
>> Sir! You're saying the "certified ASS" I've got proudly printed on my
>> business cards is a fake :-0? Can't be real.. :)
>>
>> I guess the next beer is on you my Hawaiian friend.
>>
>> Tobias
>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Jim Manico [mailto:jim.manico at owasp.org]
>>> Gesendet: Mittwoch, 6. August 2014 18:26
>>> An: Tobias Glemser
>>> Cc: owasp-leaders at lists.owasp.org
>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>workforce
>>> //
>>> OWASP certification [ Z1 UNGESICHERT ]
>>>
>>>> Always keep in mind: In 2012 we already had a "Certified
>Application
>>>> Security Specialist" promoted at AppSecDC
>>>
>>> PS: That's the ASS-Cert and it was a hoax. :)
>>>
>>> Aloha,
>>> --
>>> Jim Manico
>>> @Manicode
>>> (808) 652-3805
>>>
>>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser
><tobias.glemser at owasp.org>
>>>> wrote:
>>>>
>>>> Hi there,
>>>>
>>>> I fully understand the "why is there no OWASP Sticker, pardon me,
>>>> OWASP Certificate"-question arises year after year. But to quote
>Jim
>>>>
>>>>> 1) Votes among our community have always said "no" to
>certification
>>>> As a community driven organization _this_ is the most relevant
>thing to
>>>> keep
>>> in mind in any discussion. If the participants think we should
>re-think
>>> the topic,
>>> because things change over time: Keep on going.
>>>>
>>>> Always keep in mind: In 2012 we already had a "Certified
>Application
>>>> Security Specialist" promoted at AppSecDC See
>>>>
>http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>>>>
>>>> Tobias
>>>>
>>>>> -----Ursprüngliche Nachricht-----
>>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>>>>> Gesendet: Mittwoch, 6. August 2014 17:17
>>>>> An: Andrew Muller
>>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
>>>>> Khrotko
>>>>> (owasp)
>>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
>>>>>
>>>>> Hi,
>>>>>
>>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO
>IEC
>>>>> 27034 Application Security Controls' (hadn't seen before).  Would
>be
>>>>> good to see this catch on.
>>>>>
>>>>> Gary
>>>>>
>>>>>
>>>>>
>>>>> Gary D. Robinson, CISSP
>>>>>
>>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>   Microsoft and ISO kinda beat OWASP to the punch on this one with
>>>>> 27034.
>>>>>
>>>>>
>>>>>
>>>>>   On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>>>>> <gary.robinson at owasp.org> wrote:
>>>>>
>>>>>
>>>>>       Yea instead of cert'ing people or code, can we certify
>>>>> companies SDLCs for security? Just like a company is certified for
>>>>> ISO 9001 or others? Would be great to see things like "Acme is
>OWASP
>>>>> certified for their secure development processes".
>>>>>
>>>>>       If BSIMM or OpenSAMM are anything to go by then education of
>>>>> employees will be part of that company SDLC cert.
>>>>>
>>>>>       Gary
>>>>>
>>>>>       Gary D. Robinson, CISSP
>>>>>
>>>>>       On 6 Aug 2014, at 11:36, Andrew Muller
>>>>> <andrew.muller at owasp.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>>           OWASP is good at writing guidance (code review guide)
>and
>>>>> standards (ASVS), so I don't think we should pollute the brand
>with
>>>>> certifications. We could possibly look at certifying organisations
>>>>> compliance with these standards but even this stinks of conflict
>and
>>>>> erosion of the OWASP brand.
>>>>>
>>>>>
>>>>>           My 2c
>>>>>
>>>>>
>>>>>
>>>>>           On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>>>>> <eoin.keary at owasp.org> wrote:
>>>>>
>>>>>
>>>>>               Id love to do something like this but I'm unsure if
>>>>> getting students to test production code would warrant any type of
>>>>> robust certification. To certify code / help ensure it is secure,
>we
>>>>> really need to build security in rather than just test.
>>>>>               Certification would have to be a combination of
>design
>>>>> review, source code analysis and testing. Similar to asvs level 4?
>>>>>               This would take tons of work and require a dedicated
>>>>> experienced assessment team.
>>>>>
>>>>>               -ek
>>>>>
>>>>>
>>>>>
>>>>>               Eoin Keary
>>>>>               Owasp Global Board
>>>>>               +353 87 977 2988
>>>>> <tel:%2B353%2087%20977%202988>
>>>>>
>>>>>
>>>>>               On 6 Aug 2014, at 02:41, Larry Conklin
>>>>> <larry.conklin at owasp.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>                   Hi Jim I would also like to see us move into
>>>>> certification but instead of certifying people. I think we should
>>>>> consider software. A certification like what Underwriters
>>>>> Laboratories offers with  their "Seal of Approval". We could start
>>>>> small certifying software scanners. We can offer a free
>>>>> application(s) with known vulnerabilities that vendors can run
>their
>>>>> code against to measure how well their scanner finds and reports
>the
>>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby,
>and
>>>>> Javascript. We could also allow members to run their open source
>and
>>>>> third party application against our code base to we could collect
>>>>> comprehensive measurement of the effectiveness of each vendor
>scanner
>>>>> (both open source and third party) and make this available to
>>>>> everyone who is considering buying a scanner or a SAS service to
>scan
>>> software. The last thing we could do would be to offer our own "seal
>of
>>> approval" if the vendor allowed us to independently test their code.
>>>>> This would also be a great summer of code for some students. We
>don't
>>>>> need to start big we just need to start. I have never seen an
>>>>> independent study of FindBugs  that is not part of a research
>paper
>>>>> and compares other tools. Just my two cents.  Hope you all miss
>the
>>>>> majority
>>> of the hurricanes.  Stay safe!
>>>>> Larry
>>>>>
>>>>>
>>>>>
>>>>>                   On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
>>>>> <jim.manico at owasp.org> wrote:
>>>>>
>>>>>
>>>>>                       I personally think OWASP should go full boar
>>>>> into AppSec professional certification, but there are real
>obstacles
>>>>> preventing it from happening right now.
>>>>>
>>>>>                       1) Votes among our community have always
>said
>>>>> "no" to certification
>>>>>
>>>>>                       2) The operational overhead with
>certification
>>>>> is very significant, and we are in the process of rebooting
>>>>> operations with Virtual, our new HR firm
>>>>>
>>>>>                       3) We would be forced to keep exam questions
>>>>> in secret which is against our bylaws
>>>>>
>>>>>                       I think that if Virtual succeeds in maturing
>>>>> operations as I hope and pray that they do, we might be able to
>>>>> reconsider. But right now I feel we need to put our energies into
>>>>> current efforts.
>>>>>
>>>>>                       Respectfully,
>>>>>                       --
>>>>>                       Jim Manico
>>>>>                       @Manicode
>>>>>                       (808) 652-3805 <tel:%28808%29%20652-3805>
>>>>>
>>>>>                       On Aug 5, 2014, at 2:24 PM, "Timur 'x'
>Khrotko
>>>>> (owasp)" <timur at owasp.org> wrote:
>>>>>
>>>>>
>>>>>
>>>>>                           See the item from the SANS newsletter
>>>>> below. (For my taste the last two sentences in it are more
>important
>>>>> in principle, and in my perspective the main topic of US national
>>>>> association is obviously ... abstract.) The question is what do
>you
>>>>> think about OWASP engaging in AppSec specialists' certification?
>>>>> (Probably the question is not new, and we do not follow ISACA
>>>>> deliberately, then please send me a link to some discussion about
>>>>> it.) Wouldn't it be nice to create a methodology to train and
>examine
>>>>> the AppSec professionals in domains where we supply knowledge and
>>>>> tools (dev, test and ... management)?! (I guess it can make our
>brand
>>>>> more interesting for the AppSec crowd, bring more money and make
>>> dissemination of our tools easier).
>>>>>
>>>>>                           ~timur
>>>>>
>>>>>
>>>>>                            --Study Calls for Cyber Security
>>>>> Professional Organization
>>>>>                           (July 28 & August 1,
>>>>> 2014)
>>>>>                           A study from the Pell Center at Salve
>>>>> Regina University in Rhode Island
>>>>>                           acknowledges that "there are not enough
>>>>> people equipped with the
>>>>>                           appropriate knowledge, skills, and
>>>>> abilities to protect the information
>>>>>                           infrastructure, improve resilience, and
>>>>> leverage information technology
>>>>>                           for strategic advantage." The report
>>>>> "proposes the creation of a
>>>>>                           national professional association in
>>>>> cybersecurity to solidify the field
>>>>>                           as a profession, to support individuals
>>>>> engaged in this profession, to
>>>>>                           establish professional standards,
>>>>> prescribe education and training, and
>>>>>                           ... to support the public good."
>>>>>
>>>>>   http://pellcenter.salvereginablogs.com/cybersecurity-report-
>>>>>
>recommends-path-to-professional-standards-in-cybersecurity-industry/
>>>>>
>>>>>
>http://www.fiercecio.com/story/pell-study-calls-creation-national-
>>>>> professional-cybersecurity-association/2014-08-01
>>>>>                           Study:
>>>>>
>>>>>
>>>>>
>http://pel
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQJDBAEBCgAtBQJT4o+WJhxKYXNvbiBKb2huc29uIDxqYXNvbi5qb2huc29uQHA3
bi5uZXQ+AAoJEESGuCi6L62Mo60QAJ6CdDNbwkiUDW0sC9xecZpqzOGgw8BdoGx6
owrel22CSFgFnWhHmFfd/cHBQhaYwnNV1WAr92tRiQiwGQUitcvjK7C6FoGDA46V
rLC+6EbpRT7PEGzXBlUD4mBZaWzLENhgRsmtwyuo4XKPWOE9nnR61qMFlPFc0nqI
5x8d2FEziI0CNNRHdGh311nWRS4I6XOsXj3o94q41PaziBPROV1UYJ0A8cJegn3U
JbmEBR/fNsmX1LfXwjWGDJpS5Wknd0qndioL1/NBw0p7yP6cVR/Yd3UaV+w/gY1t
x+05MwM3mKoPCSo+RJn6lsp3gK58HEx4qFnMd3JHNJGDK1/4oBNC+FoalTy1fqp1
qk35gdo8OoGcJdkeBv5yt0qESrJDyy1jfRYr4/aL3ASFntfNB7QiUeU+dAyhdhb1
Dvxp76kcTHjycoyxJbxeVck1xv+2MjiVEqfjKNxqysU3Q1RaBv54FDFFLDwnW9xy
m1W6v0q/+5QH/d+47CQG1hBJU+s25hGoEWCNQfTDCvq3bHuUszuL0eDhiu2ffTtg
6z/Tp5kW+Nli/5JqwBjtScEmVgacGvBKb9EQpnv/IZ6mBAh5ax5zz5UeN3Z83ACO
FWjq1bXtskcYpj0mrZ+xFZ/6q60xtBMbfF80SF7gtFU2/mvZOSTs7UmSH4J+C5/x
Eum/vR4p
=8Sf/
-----END PGP SIGNATURE-----

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140806/23a88662/attachment-0001.html>


More information about the OWASP-Leaders mailing list