Thursday, 4 November 2010

OWASP and certifications

(based on my answer to an email thread about OWASP Certifications started by  SI)

Certification has historically been a hot topic at OWASP, with the reasons being a mix of 'alergy' to certifications by a considerable part of our community and the problems in creation an OWASP Certification that is compatible with OWASP Openness model.

James McGovern (a couple years ago) did a an amazing job at trying to create a Certification for OWASP, unfortunately it was probably too soon for the OWASP community and we (at the time) didn't have a good picture of how it could be made to work (and part of that is my fault since I was part of the group that had a problem with the 'need to have closed questions and answers' requirement).

Here are a couple comments, which will hopefully clarify the current situation:

  • There is no problem in creating Certifications around OWASP materials (i.e. not 'OWASP Certifications' but 'Certifications on OWASP {put project name here}' (we could even have an generic 'Certification on OWASP'))
  • The problem is in OWASP running this certification (which mainly for the need to have 'closed' questions is a non-starter)
  • The only way I could see an 'OWASP Certification' to be created is one were ALL Questions and Answers are publicly available in the OWASP Website (and if you think about this idea for a bit, you'll see that it should work once the number of questions is significant larger than the questions asked the in exam)
  • Even in the case where there is an 'OWASP Certification' or 'Certification around OWASP materials', there is no structure at OWASP that can handle the exam and certification process (and there is no plans to create on in the short to medium term)
  • The best (and most realistic) scenario is one where 3rd party commercial companies (like SI) use OWASP as the 'body of knowledge' and manage themselves the Question generation, Certification brand and Exam process (of course that OWASP Leaders could be independently involved in this process (for example helping writing questions) but it is very important to understand that there is no structure at OWASP that could be officially involved in this process (for example if SI wants to hire an OWASP Leader to participate that will need to be a commercial arrangement between SI and that OWASP Leader)
  • In terms of the focus of the Certifications, I would add another audience that Robert Hansen as tried to push OWASP to do, which is the QA professionals. I.e. create a 'OWASP for QA' Certification that focus on the minimum WebAppSec knowledge that these key SDL players should have.
  • Ultimately there should be a number of 'OWASP based' Certifications in the market, and it should be the market to decide which one they trust.
  • Although It would be hard for OWASP to 'officially' endorse a certification, we now have (in 2010) a number of ways that OWASP can give a lot of visibility to Certifications that are created around OWASP materials
    • Public reviews of certifications delivered at OWASP Conferences (created by an OWASP Leaders who go through the proccess)
    • Create an 'OWASP Quote' where OWASP Board+Leaders can make an 'on the record' comment on an OWASP-based certification. See http://www.owasp.org/index.php/Quotes for an example
    • List Certification(s) on a 'Commercial Services' registry that is still under development but is a perfect medium for this (see http://www.owasp.org/index.php/OWASP_Related_Commercial_Services)
So in a nutshell. Certifications are very important to OWASP and is something that if done correctly would had tremendus value to OWASP's community and help to reach a much wider audience.