But if anyone thinks that means that developers will do all the testing by themselves - they are sadly mistaken. An internal or external team needs to do a formal, full-knowledge review of both the source code (static analysis) and the live, production application itself (dynamic analysis) both before and after-the-fact. This sort of vulnerability assessment should be as complete as possible. This eventually could be developers-as-assessors themselves as long as a process is in place to prevent corruption and mis-trust (and assuming that they have the skills to do this in the first place). Trust, but verify - as always.

I’m also lost in the wiki vs. book argument. Which do you support for OWASP Guide 3.0 and why? Why not put all definitions, dictionary terms, and hyperlink-savvy data on the wiki, and build the book from these wiki items - with the remaining book content “going straight from brain to paper”? In other words, let each medium concentrate on each’s own specialty. The book can contain parts of the wiki, and the book can be converted to wiki format when it is complete and reviewed.

I noticed that with the OWASP Top Ten 2007 a few changes were made on the wiki to reflect hyperlinked data. PDF’s can have this same hyperlinked data. Start with that data on the wiki, merge it into the book, write the rest of the book, and then publish back to the wiki.

I wonder how the v3 Guide will overlap with the OWASP Certification project. Thoughts on this?

Could not agree more. Has the time come for software engineering to come of age and have an umbrella professional organization with entry exams and affiliation/accreditation? Look at (what I will call for the purposes of this post) genuine profesisons: lawyers, doctors, architects, teachers, nurses. All have some requirement to pass a mandatory qualification exam (in the case of teachers, this is jurisdictionally dependent, and nurses can go only so far without sitting the board registration exam). In some case, the profession names themselves are protected — I understand the Architects’ Registration Board of Victoria is going after folks in the IT community requiring them to either sit their exam or stop calling themselves architects. (and never say I give you rant topics).

The anti-Falwell is in the detail of course: who, what level, etc. But at the moment we seem to have a bunch of people consulting from home, using wikipedia as a reference work…

Dude, you need to read Martin Amis’ recent novel “House of Meetings”. It has nothing to do with IT security or your blog entry, but you might find it a good read (even if buying the book contributed to MA’s dentist (another profession with quite stringent entry requirements (although (correct) bracket nesting is not one of them))).

Yours calvously,
Your pal in old studded leather wetsuit.