This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Baseline Assessor Qual and Eval Criteria

From OWASP
Jump to: navigation, search
This page contains out-of-date content. Please help OWASP to FixME.
Last revision (yyyy-mm-dd): 2016-06-31
Comment: The page should be updated.

This project article’s focus is to establish common set of assessor qualifications and evaluation criteria to facilitate end service user ability to determine competence per assessment type. Agreement and establishment of these qualifications and criteria are foundational to establishing the Assessment Levels later within this project.

Baseline Assessor Qualifications for Expert Testing

Prior to hiring a firm or before hiring internally, verify and ensure on individual basis each Assessor has the following skills:

  • 4+ years of technical security experience with multiple computer platforms, operating systems, software products, network protocols and system architecture.
  • Knowledge of security architecture methodologies, industry best practices and generally accepted information security principles.
  • Demonstrated ability to secure (lock-down/harden) underlying operating systems and web services such as IIS or Apache – Thus inverse ability to break into insecure systems.
  • Demonstrated experience in designing and integrating security services (authentication, authorization, encryption, integrity, and non-repudiation) into systems and/or applications.
    • Demonstrated ability to recognize MD5 from Base64 from an encrypted value visually. (Example to demonstrate depth of knowledge in encryption)
  • Demonstrated experience in conducting vulnerability assessments and penetration testing – Seen as foundational skills to application level testing.
    • Demonstrated evidence of vulnerability discoveries (new undiscovered vulnerability).
    • Demonstrated ability to interpret a generated report from vulnerability scanners and quickly recognize potential false positives.
    • Able to demonstrate any exploit used during a test if requested by a client.
  • Solid understanding and experience in Web application and Internet security.
  • Solid, in-depth understanding of all Internet and Web protocols.
  • Full understanding of major HTML directives and code.
  • Knowledge of Service Oriented Architectures (SOA) and SOAP if applicable to environment.
  • Demonstrated ability to reverse engineer a transactional web application.
  • Produces own security tools known in reputable security circles. Ability to shell code to automate custom tests.
  • Demonstrated use of testing methodologies defined in OWASP Testing Project – Ask for specific testing process used for three or more testing areas.
  • Demonstrated ability to create and follow a project specific well documented test plan.
  • Programming / web services development experience a benefit. However, not all programmers make good security testers (it’s a mindset thing).
  • Demonstrated ability to formulate written technical material in a clear and effective manner – Ask for writing sample.

Assessors identify and exploit security weaknesses, evaluate counter-measures and conduct analysis to determine potential security impacts to business. More so, the assessor must demonstrate ability to take assessment data and formulate security technical solutions.

The following education and/or certifications are helpful and increase the viability of the Assessor (establishes their business foundation skills thus ability to link technical results to business impact) but should not be taken as sole means for evaluating.

  • Undergraduate degree in Computer Science, Information Systems, Engineering, or related discipline
  • CISSP or CCNA or GIAC certifications


Evaluation Criteria

The following matrix is intended to summarize the skills required per assessment level.

…[To Be Developed After Assessment Levels Established]

This article is a stub. You can help OWASP by expanding it or discussing it on its Talk page.