(ISC)2 has announced an IT professional certification aimed at
reducing the risk of
security vulnerabilities in software applications.
The Certified Secure Software Lifecycle Professional (CSSLP)
education programme has been developed by (ISC)2 in collaboration
with several software producers including Microsoft.
Steven Lipner, senior director of security engineering strategy
at Microsoft, said the company strongly supports industry efforts
to train and certify developers in security.
The certification is designed to establish best practices and
validate an individual's competency in addressing security issues
throughout the
software life cycle (SLC).
The CSSLP is independent of programming language and methodology
and is applicable to anyone involved in the SLC, including
developers, project managers and quality assurance testers.
Subject areas include the software lifecycle, vulnerabilties,
risk, information security fundamentals and compliance.
John Colley, (ISC)2 managing director EMEA, said a recent survey
of information security professionals showed a need for wider
education on security in application software.
"People in information security are recognising that no matter
how good the security is, if the applications run by business are
insecure, all the other stuff is largely a waste of time," he
said.
Business is also demanding greater security in applications to
reduce risk of data breaches and to meet industry and government
regulations aimed at improving information protection.
Kevin Richards, vice-president of ISSA International, said, "The
CSSLP can serve as a catalyst to unite the application development
and information security teams within an organisation."
Financial services companies and software development firms are
likely to be the first UK adopters of the CSSLP said Colley.
Instead of having to devise their own systems to ensure
applications are developed with security built in to them, these
organisations can just employ people certified to follow that path,
he said.
The approach of the CSSLP, said Colley, is to certify people as
having understanding and experience of the proper process to build
secure software rather than certifying an end product.
He said by building security into the process, producers and
consumers of the end product can be assured of a high level of
application security.
Howard Schmidt, president of the
Information Security Forum (ISF), said an initiative aimed at
reducing security weaknesses in software is overdue.
"The time to act is now because
new applications that lack basic security controls are being
developed every day," he said.
Schmidt, who is also an (ISC)2 board member, said criminals have
switched their attention from networks, where most security efforts
have been concentrated, to exploit vulnerabilities in
applications.
"The problem is that we have been focussing on security on the
networks and have not spent a lot of time giving the developers the
tools, knowledge and training to build security into software as
part of the day to day process," he said.
Schmidt said it was unlikely that many smaller companies would
be among the early adopters, but they would in time recognise it as
a way of getting a competitive edge.
"If they do not do it and their competitors do, that will leave
them at a disadvantage," he said.
The certification will also make IT professionals more
competitive, said Schmidt, because companies will recognise the
need to have people with these skills.
"The CSSLP will make a major difference in ensuring future
generations of software will be built not only around rich and
robust capabilities but also have those capabilities done in a
secure manner," he said.
Robert Ayoub, industry manager of the network security practice
at
Frost & Sullivan, said, "CSSLP practices are expected to
result in lower production costs, fewer delays, better critical
infrastructure protection, reduced risk of software malpractice
suits, and stricter adherence to industry and government
regulations."
Professionals who meet
qualification and experience
requirements can apply for the first CSSLP programme until the
end of March. The first exam is scheduled for the end of June
2009.
(ISC)2 said first CSSLP holders will be asked to contribute to
the examination process and assist in other aspects of programme
development.