(ISC)2 today announced a new software security certification that targets not only coders, but any project manager, IT analyst or engineer involved in the software development lifecycle. The intent is to train influencers to ensure that security is baked into projects from the outset and maintained throughout the lifecycle of a product.
The Certified Secure Software Lifecycle Professional (CSSLP) curriculum will focus on vulnerabilities, risk and compliance issues to be considered during the development lifecycle. It will include seven domains, including secure software concepts, requirements, design, implementation/coding, testing, software acceptance, and deployment, operations, maintenance and disposal.
"Even when the security person notes that something needs to be embedded in software, they have limited authority," said new (ISC)2 executive director Hord Tipton. "We need to make sure the people who supervise the process hear what [security managers] have to say and their knowledge is brought to the table."
The first exam will be administered in June. Candidates can apply starting today through March 31 to take part in an experience assessment and contribute to exam development and program development overall. Tipton said the credential has been in development for two years. It will be a standalone cert; holders do not need a CISSP to take the course.
"We're not trying to turn a security officer into a programmer," Tipton says. "We want him to know enough about how software is developed, what best practices need to be in applications and be able to sit with a coder and explain why the extra time and money needs to be spent to implement a security best practice."
Skills and certifications:
Security certifications: Are they worth the trouble? Security certifications may or may not be helpful in furthering a security career, but many security pros feel they must "comply" with the unspoken expectation to be certified.
With more business conducted on the Web and an increasing number of enterprise apps offered as a service online, applications are today's attack vector of choice. And with good reason as hackers using time-tested cross-site scripting attacks and variations on those, are cashing in on the direct link many apps have to enterprise databases.
A March survey by Forrester Research said that 44% of the 1,000 IT pros surveyed were looking at or planning to adopt application security technologies. Meanwhile, a survey of 340 Web application security professionals conducted by Jeremiah Grossman of White Hat Security and Robert Hansen, who runs the ha.ckers.org website, said awareness and education was the utmost priority for enterprises, followed by the implementation of security into the development lifecycle.
The Payment Card Industry Data Security Standard is also forcing more companies to address the security of applications, in particular Web apps. Section 6.6 was made a requirement on June 30. It mandates that companies address the security of Web apps either via manual or automated source code reviews or vulnerability scans, or via the installation of a Web application firewall (WAF) between a Web app and the client endpoint.
(ISC)2's Tipton, former CIO for the Department of the Interior, points out what many have said, that software is often rushed to market and with user friendliness as a priority, sacrificing security at the outset. Usually, he said, security is an add-on.
"I don't want to criticize industry for trying to make a profit, but there needs to be a mindset change," Tipton said. "Look at the cost of development; if you have embedded security at beginning of a project, it may at first blush cost you more, but if you look at continuous patching and when you add all those costs in, it is generally accepted that cost is much greater than the initial investment."