Major employers are backing the first qualifications in
secure programming as part of drive to reduce software errors that
are leaving corporate systems open to attack.
The exams, launched this week, are designed to stem a rapid rise
in the exploitation of software vulnerabilities by encouraging the
use of secure programming techniques.
The US Navy, Siemens, systems integrator Tata, Juniper Networks
and Oracle are among more than 40 organisations backing the
qualifications, developed by IT security research body the
Sans Institute.
There has been a 40% increase in the number of security
vulnerabilities discovered over the past two years, according to
research by security specialist Qualys.
Allan Paller, director of research at the Sans Institute, said
the certification could "turn the tide" by helping firms eliminate
basic errors in software developed in-house, and by giving them a
benchmark to select suppliers that use programmers trained in
secure techniques.
"The requirement for coding skills has grown as organised
criminal groups have turned their attention to computer-based
crimes, increasingly attacking weaknesses in applications.
With the right skills, programmers can reduce the risk of losses
caused by cyber-attacks," said Paller.
The examinations, which allow programmers to gain certified
application security professional status, aim to plug a gap in
academic and commercial programming training.
"Programming standards are very weak because colleges do not
teach secure programming. People who write the code think users
will use it in the way it is designed. They do not think a bad
person will use it in the opposite way," said Paller.
Sans Institute research has shown that most security
vulnerabilities found in software result from a few basic
programming errors. Teaching programmers how to avoid these and
other basic mistakes could make a dramatic difference, the
institute believes.
Siemens is among the firms planning to put its programmers
through the certification process. Online tests will allow their IT
staff to assess their skills and identify areas of weakness before
they complete a formal examination.
The US Gas Technology Institute said it planned to use the
certification as a benchmark for selecting software suppliers that
take security seriously.
"A supplier that takes the initiative to train and certify its
development staff through this programme would show that it is
committed to producing a high quality, secure product," it
said.
Programming languages covered by the examinations include C,
C++, Java, JSP, Perl, PHP, .net and ASP.
Sans believes that the examinations will put pressure on
universities and commercial training organisations to introduce
secure programming techniques into their courses.
It expects software suppliers and systems integrators to put
their programmers through the qualifications programme as a way of
differentiating themselves from competitors.
Sans awards programmers are awarded a score, rather than a pass
or a fail, providing them with an incentive to continually improve
their skills.
"We are confident this certification will not only strengthen
Siemens customer offerings, but strengthen the software development
industry as a whole," said John Fichtner, head of Siemens Computer
Emergency Response Team.
Related article:
IT experience “more important than qualifications”
Related article:
Hacker techniques use Google to unearth sensitive data
Comment on this article:
computer.weekly@rbi.co.uk
David Lacey’s security blog
The latest
ideas, best practices, and business issues associated with managing
security
Stuart King’s risk management blog
Dealing with
the operational challenges of information security and risk
management