News Stay informed about the latest enterprise technology news and product updates.

Group releases Java standards for secure development

The Secure Programming Council is releasing a set of essential skills for Java developers in an effort to improve software security and educate new programmers.

A new group of private-sector security experts is trying to improve secure programming skills through a set of minimum standards that developers should meet before writing code.

The Secure Programming Council, as the group is called, is releasing its first standards document today, focused on Java and J2EE development. The document is designed to serve as a set of essential skills for Java developers, instructing them in the safest ways to write applications and avoid common errors that lead to security vulnerabilities.

Secure software development:
Tech vendors team up for secure software development: A new group of technology vendors, including Microsoft and Symantec, are joining together to raise awareness about the need for more secure code.

Five hidden tactics for secure programming: Discover the five fundamental steps of secure code development to help you cost-effectively – and efficiently – address the root cause of the biggest security exposures.

The document, "Essential Skills for Secure Programming Using Java/J2EE," will be available for public comment for 60 days. The council will then incorporate suggestions and release a final version.

The group also will produce standardized exams to test developers' skills against the standards. The tests will be administered in both the U.S. and abroad, beginning in London on Dec. 5, the council said. The group also is working on similar standards for Perl, PHP, .Net, C and C++ programmers.

The new council is just one of a handful of recent efforts to improve the quality and security of code that developers are turning out. The SANS Institute earlier this year started the Software Security Institute, a similar program involving education, skills assessment and testing. And Microsoft Corp., Symantec Corp., and other large software vendors recently began another group called SAFECode, focused on educating developers.

The Secure Programming Council comprises representatives from more than 40 organizations, and the committee that put together the Java documents includes Java security experts from Booz Allen & Hamilton, Ounce Labs, Deloitte and Touche and Kaiser Permanente, among others. Application Security vendors, such as Fortify and Neohapsis also are involved.

The minimum skills that the Java document lays out cover a broad range of topics, including data handling, authentication and session management, access control and encryption services.

During a press conference Tuesday afternoon, SANS Institute Research Director Allan Paller said having well-defined standards like this will give employers a way to measure if the people writing code for them are prepared with the neccesary skills and security know-how.

As for what was announced Tuesday, Paller said, "This is the first standard you need to know if you're going to write secure code for Java. There will be other standards but this is the first because Java is what most applications are written in and applications are what the attackers are targeting most right now."

Senior News Writer Bill Brenner contributed to this report.

Dig Deeper on Secure software development

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.