Anurag Agarwal had a posting in his blog about a new certification for Web Application Security Professionals. When I first saw the posting I was almost kind of excited. You can imagine my disappointment when I found out that the GIAC/SANS organization was going to be involved. To me it just seems like an excuse for SANS to try and charge an exorbitant amount of money for their certifications. Now, I am not knocking the instructors that teach at the SANS training. Most of them are very talented individuals with many years of experience. That isn’t the issue.
What I have a problem with is what about people who already have the core competencies for the certification? These individuals would get absolutely nothing from taking the SANS training. I am sure the training is going to be targeted toward more of the newcomers to this space. For this scenario GAIC offers the certification challenge. I am not sure if you have looked up their costs to challenge their certifications or not, but it is rather laughable. I almost feel out of my chair laughing when I saw the new pricing, 899.00 which is a tricky way of saying 900.00. Are you kidding me? There is nothing special about their tests or credentials. I know, I have one. There can not be that much overhead in the exam creation and maintenance. The CISSP doesn’t even cost that much, initially anyway. It just seems like another way for this organization to money grub. They are targeting people who work for organizations that pay for certifications for them and don’t necessarily question the amount of money spent. This basically shuns the little guy and the independents. To me, the GAIC certification challenge for Silver (that is purely automated no grading of papers) shouldn’t be more than 150 dollars. I think that is fair.
How should this be done?
I am not an expert in all things certification but I would think you would have to start with the WASC taking complete ownership of this. Community experts should be queried for what they believe are the most important aspects of the field. You may even want to take a proven methodology based on OWASP as a framework for this as well. After that the exam objectives are defined. There may also be an experience requirement as well. So maybe people have to prove working in the field for 2 years or something such as that. Based on the exam objectives and the comprehensive nature of the exam, you have a panel of experts draft the questions for the exam. The exam delivery method should be one that doesn’t restrict people based on geographic limitations. This delivery method could be web based, Prometric, etc.
Structuring the exam in this manner would allow other organizations to provide training as well and not just lock in one vendor. This spreads the wealth a bit through the technology community. Also it would allow for a reasonably priced challenge for any professionals who are already proficient in this area.
