A new group of private-sector security experts is trying to improve secure programming skills through a set of...
minimum standards that developers should meet before writing code.
The Secure Programming Council, as the group is called, is releasing its first standards document today, focused on Java and J2EE development. The document is designed to serve as a set of essential skills for Java developers, instructing them in the safest ways to write applications and avoid common errors that lead to security vulnerabilities.
The document, "Essential Skills for Secure Programming Using Java/J2EE," will be available for public comment for 60 days. The council will then incorporate suggestions and release a final version.
The group also will produce standardized exams to test developers' skills against the standards. The tests will be administered in both the U.S. and abroad, beginning in London on Dec. 5, the council said. The group also is working on similar standards for Perl, PHP, .Net, C and C++ programmers.
The new council is just one of a handful of recent efforts to improve the quality and security of code that developers are turning out. The SANS Institute earlier this year started the Software Security Institute, a similar program involving education, skills assessment and testing. And Microsoft Corp., Symantec Corp., and other large software vendors recently began another group called SAFECode, focused on educating developers.
The Secure Programming Council comprises representatives from more than 40 organizations, and the committee that put together the Java documents includes Java security experts from Booz Allen & Hamilton, Ounce Labs, Deloitte and Touche and Kaiser Permanente, among others. Application Security vendors, such as Fortify and Neohapsis also are involved.
The minimum skills that the Java document lays out cover a broad range of topics, including data handling, authentication and session management, access control and encryption services.
During a press conference Tuesday afternoon, SANS Institute Research Director Allan Paller said having well-defined standards like this will give employers a way to measure if the people writing code for them are prepared with the neccesary skills and security know-how.
As for what was announced Tuesday, Paller said, "This is the first standard you need to know if you're going to write secure code for Java. There will be other standards but this is the first because Java is what most applications are written in and applications are what the attackers are targeting most right now."
Senior News Writer Bill Brenner contributed to this report.