Group releases Java standards for secure development

By Denis Fisher, Executive Editor 20 Nov 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A new group of private-sector security experts is trying to improve secure programming skills through a set of minimum standards that developers should meet before writing code.

The Secure Programming Council, as the group is called, is releasing its first standards document today, focused on Java and J2EE development. The document is designed to serve as a set of essential skills for Java developers, instructing them in the safest ways to write applications and avoid common errors that lead to security vulnerabilities.

Secure software development: Tech vendors team up for secure software development: A new group of technology vendors, including Microsoft and Symantec, are joining together to raise awareness about the need for more secure code. Five hidden tactics for secure programming: Discover the five fundamental steps of secure code development to help you cost-effectively – and efficiently – address the root cause of the biggest security exposures.

The document, "Essential Skills for Secure Programming Using Java/J2EE," will be available for public comment for 60 days. The council will then incorporate suggestions and release a final version.

The group also will produce standardized exams to test developers' skills against the standards. The tests will be administered in both the U.S. and abroad, beginning in London on Dec. 5, the council said. The group also is working on similar standards for Perl, PHP, .Net, C and C++ programmers.

The new council is just one of a handful of recent efforts to improve the quality and security of code that developers are turning out. The SANS Institute earlier this year started the Software Security Institute, a similar program involving education, skills assessment and testing. And Microsoft Corp., Symantec Corp., and other large software vendors recently began another group called SAFECode, focused on educating developers.

The Secure Programming Council comprises representatives from more than 40 organizations, and the committee that put together the Java documents includes Java security experts from Booz Allen & Hamilton, Ounce Labs, Deloitte and Touche and Kaiser Permanente, among others. Application Security vendors, such as Fortify and Neohapsis also are involved.

The minimum skills that the Java document lays out cover a broad range of topics, including data handling, authentication and session management, access control and encryption services.

During a press conference Tuesday afternoon, SANS Institute Research Director Allan Paller said having well-defined standards like this will give employers a way to measure if the people writing code for them are prepared with the neccesary skills and security know-how.

As for what was announced Tuesday, Paller said, "This is the first standard you need to know if you're going to write secure code for Java. There will be other standards but this is the first because Java is what most applications are written in and applications are what the attackers are targeting most right now."

Senior News Writer Bill Brenner contributed to this report.

Tags: Software Development Methodology,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Software piracy group offers cash to whistleblowers Quiz: How to build secure applications How to detect software tampering Developers Need Help with Security Errors Does an EULA make it truly illegal to decompile software? SQL injection continues to trouble firms, lead to breaches IBM acquires Ounce Labs for source code analysis Microsoft issues emergency Active Template Library updates Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary