More than 40 global user firms have set up a standard to
test secureprogramming skills for Java
programmers. This follows last month's move by
software suppliers under theSafeCode initiative.
The group, the Secure Programming Council, has just completed
its first consensus document, "Essential Skills for Secure
Programmers Using Java/JavaEE," and is making the document
available for public comment for 60 days. Once it has incorporated
comment, the SPC will publish the document for all programmer
training schools to use.
SPC members are mostly managers from large organisations who
want their staff to use tools and training to ensure that new and
existing applications that they develop do not have security flaws,
whether built in-house, outsourced, or at commercial software
companies.
Any firm will be able to use SPC's set of standardised tests
that measure these essential skills in-house to find gaps in
programmer skills, and to assess job candidates, consultants, and
outsourcing organisations. A key concern is to prevent attacks that
use cross-site scripting and
SQL injection techniques.
The tests will run in London on 5 December, in Washington DC on
12 December, and in 15 other cities in the US and Europe over the
next eight months.
Parallel examinations are also available for on-line
administration inside large organisations. Additional data about
the tests can be seen at
www.sans.org/gssp.