<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="&#1;" xmlns="http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
        {font-family:Wingdings;
        panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:8.5in 11.0in;
        margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=EN-US link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>This is exactly why I think we should seriously consider doing
it as part of OWASP, and not throw it on a commercial group that would just
look to how they can profit from it rather than keeping it credible. When it
becomes commercial, all the certifier is interested in, past the point they
reach a certain branding, is to sell as much as they can. &nbsp;However, we <i>can</i>
probably team up with some vendors that could do the work (and make some profit
out if it), as long as the quality is regulated by OWASP. <o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>In any case, I&#8217;m looking forward to hear what are the outcomes
of the DC Summit. Unfortunately I won&#8217;t be able to attend, but I&#8217;ll keep track </span><span
style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span
style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Ofer.<o:p></o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p>&nbsp;</o:p></span></p>

<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>

<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>
owasp-leaders-bounces@lists.owasp.org
[mailto:owasp-leaders-bounces@lists.owasp.org] <b>On Behalf Of </b>daniel
cuthbert<br>
<b>Sent:</b> Monday, November 09, 2009 9:33 AM<br>
<b>To:</b> owasp-leaders@lists.owasp.org<br>
<b>Subject:</b> Re: [Owasp-leaders] Thinking out Loud: Evaluating Talent<o:p></o:p></span></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal style='margin-bottom:12.0pt'>The CISSP comes to mind, it's
not exactly the most respected cert available in this industry of ours,
alongside the CEH.<br>
<br>
It can be done, however, a careful balance between what the candidate knows and
needs to know has to be struck. There is no point having a certification that
isn't respected by all for being too much of a mickey mouse fan club badge, <br>
<br>
Partnering with an organisation to take care of the logistical nightmare of the
certification process is a must. The actual developing of training content and
exam questions isn't that hard, it's something i've been doing for the past 5
years and have a fair whack of experience with. <br>
<br>
<o:p></o:p></p>

<div>

<p class=MsoNormal>2009/11/9 Eoin &lt;<a href="mailto:eoin.keary@owasp.org">eoin.keary@owasp.org</a>&gt;<o:p></o:p></p>

<p class=MsoNormal>Agreed, certification is an expensive investment to set up
which would require a full-time resource. Best to partner with a third party on
this but which one? Exclusivity deals do not give me a comfortable feeling.<o:p></o:p></p>

<div>

<p class=MsoNormal>Making a &quot;migs picky&quot; of this would not do OWASP
any&nbsp;favors, it's a one shot deal.&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>It can easily go to two extremes (I've seen both);&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>Either the certification is a joke, too easy, not realistic
and a weak barometer of what we are trying to do OR it can be too hard, pass
rate is very low, appropriate support for examinations is low and therefore
uptake shall be minimal also.<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal>-ek&nbsp;<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal>(see u in DC?)<o:p></o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

<div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<div>

<p class=MsoNormal>2009/11/7 Stephen Craig Evans &lt;<a
href="mailto:stephencraig.evans@gmail.com" target="_blank">stephencraig.evans@gmail.com</a>&gt;<o:p></o:p></p>

<div>

<div>

<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

<p class=MsoNormal>&gt;From my experience, I can contribute to OWASP in spurts
and short<br>
stints. Except for some titans that continuously toil tirelessly for<br>
OWASP, I think that many other contributors are the same as me.<br>
<br>
Taking care of certification in any form requires a continuous effort<br>
which does not lend itself to bursts of work. I would think that to be<br>
successful, there would have to be a commercial wing of OWASP with<br>
paid workers which is not a bad thing at all, it's just that we<br>
already have so many open and unfinished endeavors as it is.<br>
<br>
Just my $0.02 worth,<br>
Stephen<o:p></o:p></p>

<div>

<div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
<br>
On Sat, Nov 7, 2009 at 8:12 PM, Seba &lt;<a href="mailto:seba@owasp.org"
target="_blank">seba@owasp.org</a>&gt; wrote:<br>
&gt; Hi,<br>
&gt; We have been talking about this for some months now within the Education<br>
&gt; Committee.<br>
&gt; ISC2 even approached us with a very concrete proposal to set up a<br>
&gt; certification (besides CSSLP), but we do not want to set up one
'exclusive'<br>
&gt; certification scheme.<br>
&gt; Therefore we came up with the idea to have an OWASP 'certification<br>
&gt; framework' where we define the criteria and potential 'body if knowledge'<br>
&gt; for 3rd party organisations to certify developers and other actors in the<br>
&gt; SDLC.<br>
&gt; This certification framework is one point we want to discuss with you
during<br>
&gt; the upcoming GEC workshop at the DC Summit<br>
&gt; <a href="http://www.owasp.org/index.php/Summit_2009" target="_blank">http://www.owasp.org/index.php/Summit_2009</a><br>
&gt; regards<br>
&gt; Seba<br>
&gt;<br>
&gt; On Sat, Nov 7, 2009 at 12:59 PM, John Wilander &lt;<a
href="mailto:john.wilander@owasp.org" target="_blank">john.wilander@owasp.org</a>&gt;<br>
&gt; wrote:<br>
&gt;&gt;<br>
&gt;&gt; 2009/11/7 Ofer Maor&nbsp;&lt;<a href="mailto:ofer.maor@owasp.org"
target="_blank">ofer.maor@owasp.org</a>&gt;<br>
&gt;&gt; I definitely think this market is starting to be mature enough and big<br>
&gt;&gt; enough to call for a&nbsp;serious&nbsp;certification. And I think
OWASP is the right<br>
&gt;&gt; body to it. There are already chapters all around the world to help
promote<br>
&gt;&gt; this, and I think we should push for such certification, and urge
customers<br>
&gt;&gt; to require all testers who work for them to have this certification.<br>
&gt;&gt; The problem exists and gives a lot of pain to customers who hire<br>
&gt;&gt; consultants.&nbsp;I've had customers who wanted our help in assessing
developers'<br>
&gt;&gt; appsec skills along with other project requirements such as documented<br>
&gt;&gt; threat modeling, the use of a code escrow, and more.<br>
&gt;&gt; There have been discussions previously on this list. It seems the
OWASP<br>
&gt;&gt; leaders are divided into people who say &quot;Why don't we take on the<br>
&gt;&gt; responsibility to define what a pentester and an appsec aware
developer<br>
&gt;&gt; should know?&quot; and people who say &quot;OWASP is open and
welcoming for newbies as<br>
&gt;&gt; well as the planet's finest. We should not become judges over
competence.&quot;<br>
&gt;&gt; Apart from that there have been a number of practical issues.<br>
&gt;&gt; * Should we cooperate with an established assessment provider such as<br>
&gt;&gt; Prometric?<br>
&gt;&gt; * Should OWASP provide taylormade training for the certification?<br>
&gt;&gt; * Can we require chapter leaders to manage this on a<br>
&gt;&gt; local/regional/national level without paying them?<br>
&gt;&gt; * Should we cooperate or even try to merge with existing
certifications<br>
&gt;&gt; such as GSSP or CSSLP?<br>
&gt;&gt; Personally, I like the idea of an independent OWASP certifications<br>
&gt;&gt; (perhaps two - one for developers and one for testers). But I'm not
sure how<br>
&gt;&gt; we should deal with the practical issues.<br>
&gt;&gt; &nbsp;&nbsp; Regards, John (Sweden)<br>
&gt;&gt; _______________________________________________<br>
&gt;&gt; OWASP-Leaders mailing list<br>
&gt;&gt; <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
&gt;&gt; <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
&gt;&gt;<br>
&gt;<br>
&gt;<br>
&gt; _______________________________________________<br>
&gt; OWASP-Leaders mailing list<br>
&gt; <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
&gt; <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders"
target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
&gt;<br>
&gt;<br>
<br>
<br>
<o:p></o:p></p>

</div>

</div>

<p class=MsoNormal><span style='color:#888888'>--<br>
<a href="http://www.linkedin.com/in/stephencraigevans" target="_blank">http://www.linkedin.com/in/stephencraigevans</a></span><o:p></o:p></p>

<div>

<div>

<p class=MsoNormal>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><o:p></o:p></p>

</div>

</div>

</blockquote>

</div>

</div>

</div>

<p class=MsoNormal><br>
<br clear=all>
<br>
-- <br>
Eoin Keary<br>
<br>
OWASP Code Review Guide Lead Author<br>
OWASP Ireland Chapter Lead<br>
OWASP Global Committee Member (Industry)<br>
<br>
<a href="http://asg.ie/" target="_blank">http://asg.ie/</a><br>
<a href="https://twitter.com/EoinKeary" target="_blank">https://twitter.com/EoinKeary</a><o:p></o:p></p>

</div>

<p class=MsoNormal style='margin-bottom:12.0pt'><br>
_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><o:p></o:p></p>

</div>

<p class=MsoNormal><o:p>&nbsp;</o:p></p>

</div>

</body>

</html>