Certification plan aims to close the door on hackers

Major employers are backing the first qualifications in secure programming as part of drive to reduce software errors that are leaving corporate systems open to attack.

Major employers are backing the first qualifications in secure programming as part of drive to reduce software errors that are leaving corporate systems open to attack.

The exams, launched this week, are designed to stem a rapid rise in the exploitation of software vulnerabilities by encouraging the use of secure programming techniques.

The US Navy, Siemens, systems integrator Tata, Juniper Networks and Oracle are among more than 40 organisations backing the qualifications, developed by IT security research body the Sans Institute.

There has been a 40% increase in the number of security vulnerabilities discovered over the past two years, according to research by security specialist Qualys.

Allan Paller, director of research at the Sans Institute, said the certification could "turn the tide" by helping firms eliminate basic errors in software developed in-house, and by giving them a benchmark to select suppliers that use programmers trained in secure techniques.

"The requirement for coding skills has grown as organised criminal groups have turned their attention to computer-based crimes, increasingly attacking weaknesses in applications.

With the right skills, programmers can reduce the risk of losses caused by cyber-attacks," said Paller.

The examinations, which allow programmers to gain certified application security professional status, aim to plug a gap in academic and commercial programming training.

"Programming standards are very weak because colleges do not teach secure programming. People who write the code think users will use it in the way it is designed. They do not think a bad person will use it in the opposite way," said Paller.

Sans Institute research has shown that most security vulnerabilities found in software result from a few basic programming errors. Teaching programmers how to avoid these and other basic mistakes could make a dramatic difference, the institute believes.

Siemens is among the firms planning to put its programmers through the certification process. Online tests will allow their IT staff to assess their skills and identify areas of weakness before they complete a formal examination.

The US Gas Technology Institute said it planned to use the certification as a benchmark for selecting software suppliers that take security seriously.

"A supplier that takes the initiative to train and certify its development staff through this programme would show that it is committed to producing a high quality, secure product," it said.

Programming languages covered by the examinations include C, C++, Java, JSP, Perl, PHP, .net and ASP.

Sans believes that the examinations will put pressure on universities and commercial training organisations to introduce secure programming techniques into their courses.

It expects software suppliers and systems integrators to put their programmers through the qualifications programme as a way of differentiating themselves from competitors.

Sans awards programmers are awarded a score, rather than a pass or a fail, providing them with an incentive to continually improve their skills.

"We are confident this certification will not only strengthen Siemens customer offerings, but strengthen the software development industry as a whole," said John Fichtner, head of Siemens Computer Emergency Response Team.

Related article: IT experience “more important than qualifications”

Related article: Hacker techniques use Google to unearth sensitive data

Comment on this article: [email protected]

David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management

Read more on IT risk management