| |||
|
|
||
|
|||
| |
|
Home > Security News > SANS: New exam program about more secure code |
| |
|
|
|
|
| Security News: |
|
||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|
|||||||||||||||||||||||||||||||||||||||
The SANS Institute Monday unveiled the Software Security Institute, a new exam program designed to ensure that software programmers demonstrate better security scruples when writing code. A coalition of technology users and vendors organized by the SANS Institute billed it as the first skills assessment and certification examinations for programming professionals to test their secure coding skills, find gaps and, if they choose, gain GIAC Secure Software Programmer (GSSP) status. Allan Paller, research director at the SANS Institute, said the exams are necessary because programmers were never taught about secure coding. "It isn't covered in college and it isn't covered in professional development, so they are flying blind," Paller said in an interview conducted by email. Furthermore, he said, many code writers have been craving a program like this. "What surprised us is that the programmers want to know what they don't know," he said. "They are not even a little defensive" about this. There will be four examinations, each covering a specific programming language suite -- C/C++, Java/J2EE, Perl/PHP and .NET/ASP. They are designed to "enable reliable measurements of technical proficiency and expertise in identifying and correcting the common programming errors that lead to security vulnerabilities," SANS said in a statement. The exams will be administered in August in Washington DC on a pilot basis, and will then be rolled out globally. SANS said the program is designed to:
Secure coding skills have grown in demand in recent years, as criminals increasingly target weaknesses in applications to rob computer systems of critical data, Paller said, adding, "With the right skills, programmers can reduce the risk of losses caused by cyber attacks, and the certification will allow security-aware programmers to stand out in an increasingly competitive marketplace."
Meanwhile, SANS said in its statement, "any programmer who wants to take a self assessment version of the exams to know where he or she stands may do so online at any time." Steve Christey, editor of MITRE Corp.'s CVE program, which monitors all security vulnerabilities on behalf of the federal government, said in the statement that the exam program is long overdue. "After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear: Most of these vulnerabilities could be found very easily, using techniques that require very little expertise," he said. "In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance." Those who pass the exams at the foundation level will earn the GIAC Secure Software Programmer (GSSP) certification, SANS said. A designation will follow the letters reflecting the language in which the certification was earned. For example, a programmer who passes the Java exam would receive the GSSP-J designation. Paller said the proctored certification exam will cost $400. The online assessment that large companies will use will cost less. |
|
|
||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||
|
|||||||||||||||||||||||||||
| |||||||||||||||||||||||||||
|
|
|
|||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||
