[Owasp-leaders] professionalizing the cybersecurity workforce //OWASP certification

Andrew Muller andrew.muller at owasp.org
Fri Aug 8 10:14:56 UTC 2014


Who says we're easily distracted?! ;)

Is the discussion dead or does the community think that certification of
organisations/processes is a worthwhile pursuit and does the Board think
they can lead it?


On Thu, Aug 7, 2014 at 11:20 AM, Donald <don.gooden at gmail.com> wrote:

>  You guys are funny...
>
> Thanks for the laugh...
>
> Enjoy it...
>
> D
>  ------------------------------
> From: (P7N) Jason Johnson <jason.johnson at p7n.net>
> Sent: ‎8/‎6/‎2014 4:33 PM
> To: Jim Manico <jim.manico at owasp.org>; Tobias Glemser
> <tglemser at secuvera.de>
> Cc: owasp-leaders at lists.owasp.org
> Subject: Re: [Owasp-leaders] professionalizing the cybersecurity
> workforce //OWASP certification
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Crap....I need to get that of my Resume
>
> On August 6, 2014 2:22:05 PM CDT, Jim Manico <jim.manico at owasp.org> wrote:
> >I do not doubt that you are a highly experienced ASS, but yes, the
> >cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
> >some beer.
> >
> >Aloha,
> >-
> >Jim Manico
> >@Manicode
> >(808) 652-3805
> >
> >On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de>
> >wrote:
> >
> >>> PS: That's the ASS-Cert and it was a hoax. :)
> >> Sir! You're saying the "certified ASS" I've got proudly printed on my
> >> business cards is a fake :-0? Can't be real.. :)
> >>
> >> I guess the next beer is on you my Hawaiian friend.
> >>
> >> Tobias
> >>
> >>> -----Ursprüngliche Nachricht-----
> >>> Von: Jim Manico [mailto:jim.manico at owasp.org]
> >>> Gesendet: Mittwoch, 6. August 2014 18:26
> >>> An: Tobias Glemser
> >>> Cc: owasp-leaders at lists.owasp.org
> >>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
> >workforce
> >>> //
> >>> OWASP certification [ Z1 UNGESICHERT ]
> >>>
> >>>> Always keep in mind: In 2012 we already had a "Certified
> >Application
> >>>> Security Specialist" promoted at AppSecDC
> >>>
> >>> PS: That's the ASS-Cert and it was a hoax. :)
> >>>
> >>> Aloha,
> >>> --
> >>> Jim Manico
> >>> @Manicode
> >>> (808) 652-3805
> >>>
> >>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser
> ><tobias.glemser at owasp.org>
> >>>> wrote:
> >>>>
> >>>> Hi there,
> >>>>
> >>>> I fully understand the "why is there no OWASP Sticker, pardon me,
> >>>> OWASP Certificate"-question arises year after year. But to quote
> >Jim
> >>>>
> >>>>> 1) Votes among our community have always said "no" to
> >certification
> >>>> As a community driven organization _this_ is the most relevant
> >thing to
> >>>> keep
> >>> in mind in any discussion. If the participants think we should
> >re-think
> >>> the topic,
> >>> because things change over time: Keep on going.
> >>>>
> >>>> Always keep in mind: In 2012 we already had a "Certified
> >Application
> >>>> Security Specialist" promoted at AppSecDC See
> >>>>
> >http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
> >>>>
> >>>> Tobias
> >>>>
> >>>>> -----Ursprüngliche Nachricht-----
> >>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
> >>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
> >>>>> Gesendet: Mittwoch, 6. August 2014 17:17
> >>>>> An: Andrew Muller
> >>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
> >>>>> Khrotko
> >>>>> (owasp)
> >>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
> >>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
> >>>>>
> >>>>> Hi,
> >>>>>
> >>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO
> >IEC
> >>>>> 27034 Application Security Controls' (hadn't seen before).  Would
> >be
> >>>>> good to see this catch on.
> >>>>>
> >>>>> Gary
> >>>>>
> >>>>>
> >>>>>
> >>>>> Gary D. Robinson, CISSP
> >>>>>
> >>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
> >>> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>   Microsoft and ISO kinda beat OWASP to the punch on this one with
> >>>>> 27034.
> >>>>>
> >>>>>
> >>>>>
> >>>>>   On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
> >>>>> <gary.robinson at owasp.org> wrote:
> >>>>>
> >>>>>
> >>>>>       Yea instead of cert'ing people or code, can we certify
> >>>>> companies SDLCs for security? Just like a company is certified for
> >>>>> ISO 9001 or others? Would be great to see things like "Acme is
> >OWASP
> >>>>> certified for their secure development processes".
> >>>>>
> >>>>>       If BSIMM or OpenSAMM are anything to go by then education of
> >>>>> employees will be part of that company SDLC cert.
> >>>>>
> >>>>>       Gary
> >>>>>
> >>>>>       Gary D. Robinson, CISSP
> >>>>>
> >>>>>       On 6 Aug 2014, at 11:36, Andrew Muller
> >>>>> <andrew.muller at owasp.org> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>           OWASP is good at writing guidance (code review guide)
> >and
> >>>>> standards (ASVS), so I don't think we should pollute the brand
> >with
> >>>>> certifications. We could possibly look at certifying organisations
> >>>>> compliance with these standards but even this stinks of conflict
> >and
> >>>>> erosion of the OWASP brand.
> >>>>>
> >>>>>
> >>>>>           My 2c
> >>>>>
> >>>>>
> >>>>>
> >>>>>           On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
> >>>>> <eoin.keary at owasp.org> wrote:
> >>>>>
> >>>>>
> >>>>>               Id love to do something like this but I'm unsure if
> >>>>> getting students to test production code would warrant any type of
> >>>>> robust certification. To certify code / help ensure it is secure,
> >we
> >>>>> really need to build security in rather than just test.
> >>>>>               Certification would have to be a combination of
> >design
> >>>>> review, source code analysis and testing. Similar to asvs level 4?
> >>>>>               This would take tons of work and require a dedicated
> >>>>> experienced assessment team.
> >>>>>
> >>>>>               -ek
> >>>>>
> >>>>>
> >>>>>
> >>>>>               Eoin Keary
> >>>>>               Owasp Global Board
> >>>>>               +353 87 977 2988
> >>>>> <tel:%2B353%2087%20977%202988>
> >>>>>
> >>>>>
> >>>>>               On 6 Aug 2014, at 02:41, Larry Conklin
> >>>>> <larry.conklin at owasp.org> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>>                   Hi Jim I would also like to see us move into
> >>>>> certification but instead of certifying people. I think we should
> >>>>> consider software. A certification like what Underwriters
> >>>>> Laboratories offers with  their "Seal of Approval". We could start
> >>>>> small certifying software scanners. We can offer a free
> >>>>> application(s) with known vulnerabilities that vendors can run
> >their
> >>>>> code against to measure how well their scanner finds and reports
> >the
> >>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby,
> >and
> >>>>> Javascript. We could also allow members to run their open source
> >and
> >>>>> third party application against our code base to we could collect
> >>>>> comprehensive measurement of the effectiveness of each vendor
> >scanner
> >>>>> (both open source and third party) and make this available to
> >>>>> everyone who is considering buying a scanner or a SAS service to
> >scan
> >>> software. The last thing we could do would be to offer our own "seal
> >of
> >>> approval" if the vendor allowed us to independently test their code.
> >>>>> This would also be a great summer of code for some students. We
> >don't
> >>>>> need to start big we just need to start. I have never seen an
> >>>>> independent study of FindBugs  that is not part of a research
> >paper
> >>>>> and compares other tools. Just my two cents.  Hope you all miss
> >the
> >>>>> majority
> >>> of the hurricanes.  Stay safe!
> >>>>> Larry
> >>>>>
> >>>>>
> >>>>>
> >>>>>                   On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
> >>>>> <jim.manico at owasp.org> wrote:
> >>>>>
> >>>>>
> >>>>>                       I personally think OWASP should go full boar
> >>>>> into AppSec professional certification, but there are real
> >obstacles
> >>>>> preventing it from happening right now.
> >>>>>
> >>>>>                       1) Votes among our community have always
> >said
> >>>>> "no" to certification
> >>>>>
> >>>>>                       2) The operational overhead with
> >certification
> >>>>> is very significant, and we are in the process of rebooting
> >>>>> operations with Virtual, our new HR firm
> >>>>>
> >>>>>                       3) We would be forced to keep exam questions
> >>>>> in secret which is against our bylaws
> >>>>>
> >>>>>                       I think that if Virtual succeeds in maturing
> >>>>> operations as I hope and pray that they do, we might be able to
> >>>>> reconsider. But right now I feel we need to put our energies into
> >>>>> current efforts.
> >>>>>
> >>>>>                       Respectfully,
> >>>>>                       --
> >>>>>                       Jim Manico
> >>>>>                       @Manicode
> >>>>>                       (808) 652-3805 <tel:%28808%29%20652-3805>
> >>>>>
> >>>>>                       On Aug 5, 2014, at 2:24 PM, "Timur 'x'
> >Khrotko
> >>>>> (owasp)" <timur at owasp.org> wrote:
> >>>>>
> >>>>>
> >>>>>
> >>>>>                           See the item from the SANS newsletter
> >>>>> below. (For my taste the last two sentences in it are more
> >important
> >>>>> in principle, and in my perspective the main topic of US national
> >>>>> association is obviously ... abstract.) The question is what do
> >you
> >>>>> think about OWASP engaging in AppSec specialists' certification?
> >>>>> (Probably the question is not new, and we do not follow ISACA
> >>>>> deliberately, then please send me a link to some discussion about
> >>>>> it.) Wouldn't it be nice to create a methodology to train and
> >examine
> >>>>> the AppSec professionals in domains where we supply knowledge and
> >>>>> tools (dev, test and ... management)?! (I guess it can make our
> >brand
> >>>>> more interesting for the AppSec crowd, bring more money and make
> >>> dissemination of our tools easier).
> >>>>>
> >>>>>                           ~timur
> >>>>>
> >>>>>
> >>>>>                            --Study Calls for Cyber Security
> >>>>> Professional Organization
> >>>>>                           (July 28 & August 1,
> >>>>> 2014)
> >>>>>                           A study from the Pell Center at Salve
> >>>>> Regina University in Rhode Island
> >>>>>                           acknowledges that "there are not enough
> >>>>> people equipped with the
> >>>>>                           appropriate knowledge, skills, and
> >>>>> abilities to protect the information
> >>>>>                           infrastructure, improve resilience, and
> >>>>> leverage information technology
> >>>>>                           for strategic advantage." The report
> >>>>> "proposes the creation of a
> >>>>>                           national professional association in
> >>>>> cybersecurity to solidify the field
> >>>>>                           as a profession, to support individuals
> >>>>> engaged in this profession, to
> >>>>>                           establish professional standards,
> >>>>> prescribe education and training, and
> >>>>>                           ... to support the public good."
> >>>>>
> >>>>>   http://pellcenter.salvereginablogs.com/cybersecurity-report-
> >>>>>
> >recommends-path-to-professional-standards-in-cybersecurity-industry/
> >>>>>
> >>>>>
> >http://www.fiercecio.com/story/pell-study-calls-creation-national-
> >>>>> professional-cybersecurity-association/2014-08-01
> >>>>>                           Study:
> >>>>>
> >>>>>
> >>>>>
> >http://pel
> -----BEGIN PGP SIGNATURE-----
> Version: APG v1.1.1
>
> iQJDBAEBCgAtBQJT4o+WJhxKYXNvbiBKb2huc29uIDxqYXNvbi5qb2huc29uQHA3
> bi5uZXQ+AAoJEESGuCi6L62Mo60QAJ6CdDNbwkiUDW0sC9xecZpqzOGgw8BdoGx6
> owrel22CSFgFnWhHmFfd/cHBQhaYwnNV1WAr92tRiQiwGQUitcvjK7C6FoGDA46V
> rLC+6EbpRT7PEGzXBlUD4mBZaWzLENhgRsmtwyuo4XKPWOE9nnR61qMFlPFc0nqI
> 5x8d2FEziI0CNNRHdGh311nWRS4I6XOsXj3o94q41PaziBPROV1UYJ0A8cJegn3U
> JbmEBR/fNsmX1LfXwjWGDJpS5Wknd0qndioL1/NBw0p7yP6cVR/Yd3UaV+w/gY1t
> x+05MwM3mKoPCSo+RJn6lsp3gK58HEx4qFnMd3JHNJGDK1/4oBNC+FoalTy1fqp1
> qk35gdo8OoGcJdkeBv5yt0qESrJDyy1jfRYr4/aL3ASFntfNB7QiUeU+dAyhdhb1
> Dvxp76kcTHjycoyxJbxeVck1xv+2MjiVEqfjKNxqysU3Q1RaBv54FDFFLDwnW9xy
> m1W6v0q/+5QH/d+47CQG1hBJU+s25hGoEWCNQfTDCvq3bHuUszuL0eDhiu2ffTtg
> 6z/Tp5kW+Nli/5JqwBjtScEmVgacGvBKb9EQpnv/IZ6mBAh5ax5zz5UeN3Z83ACO
> FWjq1bXtskcYpj0mrZ+xFZ/6q60xtBMbfF80SF7gtFU2/mvZOSTs7UmSH4J+C5/x
> Eum/vR4p
> =8Sf/
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
____________________
*Andrew Muller*
Canberra OWASP Chapter Leader
OWASP Testing Guide Co-Leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140808/bf2f3618/attachment-0001.html>


More information about the OWASP-Leaders mailing list