Here's an exciting "development"--the SANS Institute has announced secure coding assessment and certification exams for programmers. SANS is working with prominent security vendors and universities and community colleges to devise a program for helping today's and tomorrow's programmers learn to develop more secure code. The initiative consists of exams that developers can take to gain Global Information Assurance Certification (GIAC) Secure Software Professional (GSSP) status or simply to find out where they might have holes in their knowledge or skills.
The four exams cover C/C++, Java/Java 2 Enterprise Edition (J2EE), Perl/PHP, and .NET/Active Server Pages (ASP) and are designed to measure a programmer's expertise in finding and correcting problems in code that could lead to security vulnerabilities. Developers will be able to take the exams in a proctored setting (typically at a university or community college) to receive the GSSP designation or online to test their skills unofficially. Large companies such as Symantec, Juniper Networks, Siemens, and Tata Consultancy Services have helped to devise the tests and will use them to train and test their developers.
Allan Paller, director of research at the SANS Institute, told us that security administrators often wonder why developers keep writing programs with bugs in them and said that the answer is that it's really hard to write secure code. In fact, he pointed out that many programming books, from which programmers copy code samples to use as the basis of their own programs, actually have security bugs.
Michael Sutton is security evangelist at SPI Dynamics, which has helped SANS develop the GSSP exams and is working with the institute on a set of 40 secure programming workshops that will run next fall when the exams become available. Sutton said, "It's unfair to blame developers because we've never asked them to develop secure code--we've asked them for features and to deliver code on time. Now we're changing that, and it's a tall order." He reports that the developers he's talked to are "embracing this examination" and the opportunity to learn to code securely.
For more information about the exams and how you can prepare for them, go to
http://www.sans-ssi.org/