The SANS Institute Monday unveiled the Software Security Institute, a new exam program designed to ensure that software programmers demonstrate better security scruples when writing code.
A coalition of technology users and vendors organized by the SANS Institute
"It isn't covered in college and it isn't covered in professional development, so they are flying blind," Paller said in an interview conducted by email. Furthermore, he said, many code writers have been craving a program like this. "What surprised us is that the programmers want to know what they don't know," he said. "They are not even a little defensive" about this.
There will be four examinations, each covering a specific programming language suite -- C/C++, Java/J2EE, Perl/PHP and .NET/ASP. They are designed to "enable reliable measurements of technical proficiency and expertise in identifying and correcting the common programming errors that lead to security vulnerabilities," SANS said in a statement. The exams will be administered in August in Washington DC on a pilot basis, and will then be rolled out globally.
SANS said the program is designed to:
- Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them.
- Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.
- Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.
- Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge.
- Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses.
- Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.
Secure coding skills have grown in demand in recent years, as criminals increasingly target weaknesses in applications to rob computer systems of critical data, Paller said, adding, "With the right skills, programmers can reduce the risk of losses caused by cyber attacks, and the certification will allow security-aware programmers to stand out in an increasingly competitive marketplace."
Meanwhile, SANS said in its statement, "any programmer who wants to take a self assessment version of the exams to know where he or she stands may do so online at any time."
Steve Christey, editor of MITRE Corp.'s CVE program, which monitors all security vulnerabilities on behalf of the federal government, said in the statement that the exam program is long overdue.
"After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear: Most of these vulnerabilities could be found very easily, using techniques that require very little expertise," he said. "In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance."
Those who pass the exams at the foundation level will earn the GIAC Secure Software Programmer (GSSP) certification, SANS said. A designation will follow the letters reflecting the language in which the certification was earned. For example, a programmer who passes the Java exam would receive the GSSP-J designation.
Paller said the proctored certification exam will cost $400. The online assessment that large companies will use will cost less.