[Owasp-leaders] professionalizing the cybersecurity workforce //OWASP certification

Bev Corwin bev.corwin at owasp.org
Fri Aug 8 12:38:18 UTC 2014


My two cents: Personally not a fan of "certifications" of anything, but a
"taxonomy of trust" might be interesting.

Bev


On Fri, Aug 8, 2014 at 6:14 AM, Andrew Muller <andrew.muller at owasp.org>
wrote:

> Who says we're easily distracted?! ;)
>
> Is the discussion dead or does the community think that certification of
> organisations/processes is a worthwhile pursuit and does the Board think
> they can lead it?
>
>
> On Thu, Aug 7, 2014 at 11:20 AM, Donald <don.gooden at gmail.com> wrote:
>
>>  You guys are funny...
>>
>> Thanks for the laugh...
>>
>> Enjoy it...
>>
>> D
>>  ------------------------------
>> From: (P7N) Jason Johnson <jason.johnson at p7n.net>
>> Sent: ‎8/‎6/‎2014 4:33 PM
>> To: Jim Manico <jim.manico at owasp.org>; Tobias Glemser
>> <tglemser at secuvera.de>
>> Cc: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] professionalizing the cybersecurity
>> workforce //OWASP certification
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>>
>> Crap....I need to get that of my Resume
>>
>> On August 6, 2014 2:22:05 PM CDT, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >I do not doubt that you are a highly experienced ASS, but yes, the
>> >cert is indeed a hoax. ;) Next time I'm in Germany I'll buy everyone
>> >some beer.
>> >
>> >Aloha,
>> >-
>> >Jim Manico
>> >@Manicode
>> >(808) 652-3805
>> >
>> >On Aug 6, 2014, at 11:47 AM, Tobias Glemser <tglemser at secuvera.de>
>> >wrote:
>> >
>> >>> PS: That's the ASS-Cert and it was a hoax. :)
>> >> Sir! You're saying the "certified ASS" I've got proudly printed on my
>> >> business cards is a fake :-0? Can't be real.. :)
>> >>
>> >> I guess the next beer is on you my Hawaiian friend.
>> >>
>> >> Tobias
>> >>
>> >>> -----Ursprüngliche Nachricht-----
>> >>> Von: Jim Manico [mailto:jim.manico at owasp.org]
>> >>> Gesendet: Mittwoch, 6. August 2014 18:26
>> >>> An: Tobias Glemser
>> >>> Cc: owasp-leaders at lists.owasp.org
>> >>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>> >workforce
>> >>> //
>> >>> OWASP certification [ Z1 UNGESICHERT ]
>> >>>
>> >>>> Always keep in mind: In 2012 we already had a "Certified
>> >Application
>> >>>> Security Specialist" promoted at AppSecDC
>> >>>
>> >>> PS: That's the ASS-Cert and it was a hoax. :)
>> >>>
>> >>> Aloha,
>> >>> --
>> >>> Jim Manico
>> >>> @Manicode
>> >>> (808) 652-3805
>> >>>
>> >>>>> On Aug 6, 2014, at 8:33 AM, Tobias Glemser
>> ><tobias.glemser at owasp.org>
>> >>>> wrote:
>> >>>>
>> >>>> Hi there,
>> >>>>
>> >>>> I fully understand the "why is there no OWASP Sticker, pardon me,
>> >>>> OWASP Certificate"-question arises year after year. But to quote
>> >Jim
>> >>>>
>> >>>>> 1) Votes among our community have always said "no" to
>> >certification
>> >>>> As a community driven organization _this_ is the most relevant
>> >thing to
>> >>>> keep
>> >>> in mind in any discussion. If the participants think we should
>> >re-think
>> >>> the topic,
>> >>> because things change over time: Keep on going.
>> >>>>
>> >>>> Always keep in mind: In 2012 we already had a "Certified
>> >Application
>> >>>> Security Specialist" promoted at AppSecDC See
>> >>>>
>> >http://lists.owasp.org/pipermail/owasp-leaders/2012-April/007071.html
>> >>>>
>> >>>> Tobias
>> >>>>
>> >>>>> -----Ursprüngliche Nachricht-----
>> >>>>> Von: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-
>> >>>>> bounces at lists.owasp.org] Im Auftrag von Gary Robinson
>> >>>>> Gesendet: Mittwoch, 6. August 2014 17:17
>> >>>>> An: Andrew Muller
>> >>>>> Cc: owasp-leaders at lists.owasp.org; conklinl at hotmail.com; Timur 'x'
>> >>>>> Khrotko
>> >>>>> (owasp)
>> >>>>> Betreff: Re: [Owasp-leaders] professionalizing the cybersecurity
>> >>>>> workforce // OWASP certification [ Z1 UNGESICHERT ]
>> >>>>>
>> >>>>> Hi,
>> >>>>>
>> >>>>> Good point on ISO 27034, and I see we have a project 'OWASP ISO
>> >IEC
>> >>>>> 27034 Application Security Controls' (hadn't seen before).  Would
>> >be
>> >>>>> good to see this catch on.
>> >>>>>
>> >>>>> Gary
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> Gary D. Robinson, CISSP
>> >>>>>
>> >>>>> On 6 Aug 2014, at 14:06, Andrew Muller <andrew.muller at owasp.org>
>> >>> wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>   Microsoft and ISO kinda beat OWASP to the punch on this one with
>> >>>>> 27034.
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>   On Wed, Aug 6, 2014 at 10:56 PM, Gary Robinson
>> >>>>> <gary.robinson at owasp.org> wrote:
>> >>>>>
>> >>>>>
>> >>>>>       Yea instead of cert'ing people or code, can we certify
>> >>>>> companies SDLCs for security? Just like a company is certified for
>> >>>>> ISO 9001 or others? Would be great to see things like "Acme is
>> >OWASP
>> >>>>> certified for their secure development processes".
>> >>>>>
>> >>>>>       If BSIMM or OpenSAMM are anything to go by then education of
>> >>>>> employees will be part of that company SDLC cert.
>> >>>>>
>> >>>>>       Gary
>> >>>>>
>> >>>>>       Gary D. Robinson, CISSP
>> >>>>>
>> >>>>>       On 6 Aug 2014, at 11:36, Andrew Muller
>> >>>>> <andrew.muller at owasp.org> wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>           OWASP is good at writing guidance (code review guide)
>> >and
>> >>>>> standards (ASVS), so I don't think we should pollute the brand
>> >with
>> >>>>> certifications. We could possibly look at certifying organisations
>> >>>>> compliance with these standards but even this stinks of conflict
>> >and
>> >>>>> erosion of the OWASP brand.
>> >>>>>
>> >>>>>
>> >>>>>           My 2c
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>           On Wed, Aug 6, 2014 at 6:09 PM, Eoin Keary
>> >>>>> <eoin.keary at owasp.org> wrote:
>> >>>>>
>> >>>>>
>> >>>>>               Id love to do something like this but I'm unsure if
>> >>>>> getting students to test production code would warrant any type of
>> >>>>> robust certification. To certify code / help ensure it is secure,
>> >we
>> >>>>> really need to build security in rather than just test.
>> >>>>>               Certification would have to be a combination of
>> >design
>> >>>>> review, source code analysis and testing. Similar to asvs level 4?
>> >>>>>               This would take tons of work and require a dedicated
>> >>>>> experienced assessment team.
>> >>>>>
>> >>>>>               -ek
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>               Eoin Keary
>> >>>>>               Owasp Global Board
>> >>>>>               +353 87 977 2988
>> >>>>> <tel:%2B353%2087%20977%202988>
>> >>>>>
>> >>>>>
>> >>>>>               On 6 Aug 2014, at 02:41, Larry Conklin
>> >>>>> <larry.conklin at owasp.org> wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>                   Hi Jim I would also like to see us move into
>> >>>>> certification but instead of certifying people. I think we should
>> >>>>> consider software. A certification like what Underwriters
>> >>>>> Laboratories offers with  their "Seal of Approval". We could start
>> >>>>> small certifying software scanners. We can offer a free
>> >>>>> application(s) with known vulnerabilities that vendors can run
>> >their
>> >>>>> code against to measure how well their scanner finds and reports
>> >the
>> >>>>> known vulnerabilities. Testing would be C++, Java, C#, PHP, Ruby,
>> >and
>> >>>>> Javascript. We could also allow members to run their open source
>> >and
>> >>>>> third party application against our code base to we could collect
>> >>>>> comprehensive measurement of the effectiveness of each vendor
>> >scanner
>> >>>>> (both open source and third party) and make this available to
>> >>>>> everyone who is considering buying a scanner or a SAS service to
>> >scan
>> >>> software. The last thing we could do would be to offer our own "seal
>> >of
>> >>> approval" if the vendor allowed us to independently test their code.
>> >>>>> This would also be a great summer of code for some students. We
>> >don't
>> >>>>> need to start big we just need to start. I have never seen an
>> >>>>> independent study of FindBugs  that is not part of a research
>> >paper
>> >>>>> and compares other tools. Just my two cents.  Hope you all miss
>> >the
>> >>>>> majority
>> >>> of the hurricanes.  Stay safe!
>> >>>>> Larry
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>                   On Tue, Aug 5, 2014 at 6:43 PM, Jim Manico
>> >>>>> <jim.manico at owasp.org> wrote:
>> >>>>>
>> >>>>>
>> >>>>>                       I personally think OWASP should go full boar
>> >>>>> into AppSec professional certification, but there are real
>> >obstacles
>> >>>>> preventing it from happening right now.
>> >>>>>
>> >>>>>                       1) Votes among our community have always
>> >said
>> >>>>> "no" to certification
>> >>>>>
>> >>>>>                       2) The operational overhead with
>> >certification
>> >>>>> is very significant, and we are in the process of rebooting
>> >>>>> operations with Virtual, our new HR firm
>> >>>>>
>> >>>>>                       3) We would be forced to keep exam questions
>> >>>>> in secret which is against our bylaws
>> >>>>>
>> >>>>>                       I think that if Virtual succeeds in maturing
>> >>>>> operations as I hope and pray that they do, we might be able to
>> >>>>> reconsider. But right now I feel we need to put our energies into
>> >>>>> current efforts.
>> >>>>>
>> >>>>>                       Respectfully,
>> >>>>>                       --
>> >>>>>                       Jim Manico
>> >>>>>                       @Manicode
>> >>>>>                       (808) 652-3805 <tel:%28808%29%20652-3805>
>> >>>>>
>> >>>>>                       On Aug 5, 2014, at 2:24 PM, "Timur 'x'
>> >Khrotko
>> >>>>> (owasp)" <timur at owasp.org> wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>                           See the item from the SANS newsletter
>> >>>>> below. (For my taste the last two sentences in it are more
>> >important
>> >>>>> in principle, and in my perspective the main topic of US national
>> >>>>> association is obviously ... abstract.) The question is what do
>> >you
>> >>>>> think about OWASP engaging in AppSec specialists' certification?
>> >>>>> (Probably the question is not new, and we do not follow ISACA
>> >>>>> deliberately, then please send me a link to some discussion about
>> >>>>> it.) Wouldn't it be nice to create a methodology to train and
>> >examine
>> >>>>> the AppSec professionals in domains where we supply knowledge and
>> >>>>> tools (dev, test and ... management)?! (I guess it can make our
>> >brand
>> >>>>> more interesting for the AppSec crowd, bring more money and make
>> >>> dissemination of our tools easier).
>> >>>>>
>> >>>>>                           ~timur
>> >>>>>
>> >>>>>
>> >>>>>                            --Study Calls for Cyber Security
>> >>>>> Professional Organization
>> >>>>>                           (July 28 & August 1,
>> >>>>> 2014)
>> >>>>>                           A study from the Pell Center at Salve
>> >>>>> Regina University in Rhode Island
>> >>>>>                           acknowledges that "there are not enough
>> >>>>> people equipped with the
>> >>>>>                           appropriate knowledge, skills, and
>> >>>>> abilities to protect the information
>> >>>>>                           infrastructure, improve resilience, and
>> >>>>> leverage information technology
>> >>>>>                           for strategic advantage." The report
>> >>>>> "proposes the creation of a
>> >>>>>                           national professional association in
>> >>>>> cybersecurity to solidify the field
>> >>>>>                           as a profession, to support individuals
>> >>>>> engaged in this profession, to
>> >>>>>                           establish professional standards,
>> >>>>> prescribe education and training, and
>> >>>>>                           ... to support the public good."
>> >>>>>
>> >>>>>   http://pellcenter.salvereginablogs.com/cybersecurity-report-
>> >>>>>
>> >recommends-path-to-professional-standards-in-cybersecurity-industry/
>> >>>>>
>> >>>>>
>> >http://www.fiercecio.com/story/pell-study-calls-creation-national-
>> >>>>> professional-cybersecurity-association/2014-08-01
>> >>>>>                           Study:
>> >>>>>
>> >>>>>
>> >>>>>
>> >http://pel
>> -----BEGIN PGP SIGNATURE-----
>> Version: APG v1.1.1
>>
>> iQJDBAEBCgAtBQJT4o+WJhxKYXNvbiBKb2huc29uIDxqYXNvbi5qb2huc29uQHA3
>> bi5uZXQ+AAoJEESGuCi6L62Mo60QAJ6CdDNbwkiUDW0sC9xecZpqzOGgw8BdoGx6
>> owrel22CSFgFnWhHmFfd/cHBQhaYwnNV1WAr92tRiQiwGQUitcvjK7C6FoGDA46V
>> rLC+6EbpRT7PEGzXBlUD4mBZaWzLENhgRsmtwyuo4XKPWOE9nnR61qMFlPFc0nqI
>> 5x8d2FEziI0CNNRHdGh311nWRS4I6XOsXj3o94q41PaziBPROV1UYJ0A8cJegn3U
>> JbmEBR/fNsmX1LfXwjWGDJpS5Wknd0qndioL1/NBw0p7yP6cVR/Yd3UaV+w/gY1t
>> x+05MwM3mKoPCSo+RJn6lsp3gK58HEx4qFnMd3JHNJGDK1/4oBNC+FoalTy1fqp1
>> qk35gdo8OoGcJdkeBv5yt0qESrJDyy1jfRYr4/aL3ASFntfNB7QiUeU+dAyhdhb1
>> Dvxp76kcTHjycoyxJbxeVck1xv+2MjiVEqfjKNxqysU3Q1RaBv54FDFFLDwnW9xy
>> m1W6v0q/+5QH/d+47CQG1hBJU+s25hGoEWCNQfTDCvq3bHuUszuL0eDhiu2ffTtg
>> 6z/Tp5kW+Nli/5JqwBjtScEmVgacGvBKb9EQpnv/IZ6mBAh5ax5zz5UeN3Z83ACO
>> FWjq1bXtskcYpj0mrZ+xFZ/6q60xtBMbfF80SF7gtFU2/mvZOSTs7UmSH4J+C5/x
>> Eum/vR4p
>> =8Sf/
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> ____________________
> *Andrew Muller*
> Canberra OWASP Chapter Leader
> OWASP Testing Guide Co-Leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140808/350ed419/attachment-0001.html>


More information about the OWASP-Leaders mailing list