SpoC 007 - OWASP Certification Project

Back to SpoC 007 Selection page

AoC Candidate: Mateo Meucci

Project coordinator: TBA

Project Progress: 0% Complete, Progress Page

Your educational and professional background
Matteo Meucci is graduated in Computer Science Engineering (5y) at University of Bologna (Italy). Specialization in Information Security & Communication Technology in 2001. Matteo is now Consultant @ BT Global Services Italy. Past: Application Security Area Manager @ Business-e an ITWay group company, Security Consultant @ CryptoNet. He is CISSP and CISA certified. Stefano Di Paola is graduated in Computer Science Engineering (5y) at University of Florence (Italy). Specialization in Software Development on Information Systems in 2002. Software engineer, secure software developer and security researcher. Stefano works as a freelance security and ICT consultant for several Italian companies and public administrations. He is Lead Auditor ISMS / Iso27001 Certified.

Application security experience and accomplishments
Matteo has 6+ years of professional experience in Application Security. Trainer on Web Application Security from many years. He was tutor for the final essay of M. Gambini titled: “ Security of web applications: analysis of vulnerability and project of security code” at the University of the Study of Bologna – Faculty of Engineering – 2002.

OWASP Paper: April 2005 - M. Meucci: “A case-study of Web Application Vulnerability: MMS Spoofing and Billing”.

Many articles, papers and participation to Security Conference on web application security. Stefano has 5+ Years of professional experience in Application Security. 6+ Years as security researcher with several findings on various applications.

Public advisories on:
 * mysql server
 * php interpreter
 * Acrobat Reader Plugin UXSS

3+ Years as professional penetration tester on Web Applicapplication for several big companies and institutions. 3 Years collaboration with Faculty of Computer Engineer at University of Florence on several courses about "Programming languages" and "Databases".

Teacher at a course for PhD Students titled "Integrating Security in SDLC". Several articles, papers and participation to international Security Conferences.

Participation and leadership in open communities
Matteo Since January 2005 Founder and President of the Italian chapter of the Open Web Application Security Project. From October 2006 to December 2006 Testing Guide AoC lead Since 2007 OWASP Testing Guide lead.

Stefano Since 2005: Official Member of the Board of Computer Engineers of Florence Since 2006: Research and Development Principal in Owasp Italian Chapter Since 2006: Co author in OWASP Testing guide

The opportunity, challenges, issues or need your proposal addresses
Nowadays OWASP represents the Web Application Security standard de facto world wide and many Companies adopt our methodologies and tools. A lot of these Companies require Application Security Training and Certification and in particular are asking for Owasp Certifications. When the Code Review project will be finished, we think that OWASP will have all the right methodologies and tools for a complete SDLC inherent with Security. Our challenge is to create a plan for certification: a set of OWASP Certification for Developers and Testers.

Objectives or ways in which you will meet the goal(s)
The goal is to create the OWASP Certification path for two potential certifications: OWASP Dev Certification and OWASP Test Certification.

The OWASP Foundation will be the root Authority: the process will begin in collaboration with OWASP Board to define the organizational structure and Certification authorities structure. #

The entities of this process could be:
 * Certification process developers: Matteo and Stefano
 * OWASP Foundation: owner of the certification
 * Training Companies: certified companies from the OWASP Foundation
 * Trainers: certified OWASP Cert trainers
 * Students: the target of the Certification.

Then in collaboration with OWASP boards and leaders, we will implement a detailed documentation for the students and trainers.

As third phase of the project the OWASP community will be involved with a mailing list, in order to improve and suggest activities and contents.

Specific activities and who will carry out these activities
We think at 2 types of certifications: OWASP Dev and OWASP Test Certification

OWASP Dev Certification
 * Target: Developer, Analist, Architect
 * Based upon the OWASP Building Guide and Code Review Guide, the idea is to develop a 4 days Course and final examinations.
 * Results: people get the OWASP Dev Certification (ODeC) that assure that you have understand the Threat Modeling, Code Review and how to develop secure web application

OWASP Test Certification
 * Target: Tester, Auditor
 * Based upon the OWASP Testing Guide, WebScarab and WebGoat the idea is to develop a 4 days Course and final examinations
 * Results: people get the OWASP Test Certification (OTeC) that assures that you can perform a Web Application Penetration Testing following the OWASP Methodology


 * Stefano and Matteo can carry out these activities with the support of the OWASP Board and Community for a first brainstorming on how to create the certification path.

Specific deliverables and a rough project schedule so we can track progress
We think that in three months we can reach the first two goals:
 * 1) Define the organizational hierarchy.
 * 2) Deliver a complete 4 days Training course materials for students with the final examination. OWASP Foundation will decide which certification will be developed firstly. This documentation will be available only to the OWASP Board.

Long-term vision for the project

 * I step (Certificate Developers and Testers): develop the OWASP Dev Course or OWASP Test Course.
 * II step (Certificate Training): develop the OWASP Dev Training Course, OWASP Test Training Course.
 * III step: Training Companies or OWASP Chapters could make the OWASP Certification to developers and testers.
 * Output: OWASP Dev Cert, OWASP Test Cert, OWASP Trainer Cert.

OWASP Foundation will be the owner of the Certifications path and will deliver the Training certification to the Training Companies or OWASP Chapters.

Any other reasons why you and your project should be selected
We think that the project should be selected because Certification is the OWASP next challenge and we work every day with passion to improve OWASP!

Back to SpoC 007 Selection page