The group, the Secure Programming Council, has just completed its first consensus document, "Essential Skills for Secure Programmers Using Java/JavaEE," and is making the document available for public comment for 60 days. Once it has incorporated comment, the SPC will publish the document for all programmer training schools to use.
SPC members are mostly managers from large organisations who want their staff to use tools and training to ensure that new and existing applications that they develop do not have security flaws, whether built in-house, outsourced, or at commercial software companies.
Any firm will be able to use SPC's set of standardised tests that measure these essential skills in-house to find gaps in programmer skills, and to assess job candidates, consultants, and outsourcing organisations. A key concern is to prevent attacks that use cross-site scripting and SQL injection techniques.
The tests will run in London on 5 December, in Washington DC on 12 December, and in 15 other cities in the US and Europe over the next eight months.
Parallel examinations are also available for on-line administration inside large organisations. Additional data about the tests can be seen at www.sans.org/gssp.