(ISC)2 launches security certification to reduce application vulnerabilities

(ISC)2 has announced an IT professional certification aimed at reducing the risk of security vulnerabilities in software applications.

(ISC)2 has announced an IT professional certification aimed at reducing the risk of security vulnerabilities in software applications.

The Certified Secure Software Lifecycle Professional (CSSLP) education programme has been developed by (ISC)2 in collaboration with several software producers including Microsoft.

Steven Lipner, senior director of security engineering strategy at Microsoft, said the company strongly supports industry efforts to train and certify developers in security.

The certification is designed to establish best practices and validate an individual's competency in addressing security issues throughout the software life cycle (SLC).

The CSSLP is independent of programming language and methodology and is applicable to anyone involved in the SLC, including developers, project managers and quality assurance testers.

Subject areas include the software lifecycle, vulnerabilties, risk, information security fundamentals and compliance.

John Colley, (ISC)2 managing director EMEA, said a recent survey of information security professionals showed a need for wider education on security in application software.

"People in information security are recognising that no matter how good the security is, if the applications run by business are insecure, all the other stuff is largely a waste of time," he said.

Business is also demanding greater security in applications to reduce risk of data breaches and to meet industry and government regulations aimed at improving information protection.

Kevin Richards, vice-president of ISSA International, said, "The CSSLP can serve as a catalyst to unite the application development and information security teams within an organisation."

Financial services companies and software development firms are likely to be the first UK adopters of the CSSLP said Colley.

Instead of having to devise their own systems to ensure applications are developed with security built in to them, these organisations can just employ people certified to follow that path, he said.

The approach of the CSSLP, said Colley, is to certify people as having understanding and experience of the proper process to build secure software rather than certifying an end product.

He said by building security into the process, producers and consumers of the end product can be assured of a high level of application security.

Howard Schmidt, president of the Information Security Forum (ISF), said an initiative aimed at reducing security weaknesses in software is overdue.

"The time to act is now because new applications that lack basic security controls are being developed every day," he said.

Schmidt, who is also an (ISC)2 board member, said criminals have switched their attention from networks, where most security efforts have been concentrated, to exploit vulnerabilities in applications.

"The problem is that we have been focussing on security on the networks and have not spent a lot of time giving the developers the tools, knowledge and training to build security into software as part of the day to day process," he said.

Schmidt said it was unlikely that many smaller companies would be among the early adopters, but they would in time recognise it as a way of getting a competitive edge.

"If they do not do it and their competitors do, that will leave them at a disadvantage," he said.

The certification will also make IT professionals more competitive, said Schmidt, because companies will recognise the need to have people with these skills.

"The CSSLP will make a major difference in ensuring future generations of software will be built not only around rich and robust capabilities but also have those capabilities done in a secure manner," he said.

Robert Ayoub, industry manager of the network security practice at Frost & Sullivan, said, "CSSLP practices are expected to result in lower production costs, fewer delays, better critical infrastructure protection, reduced risk of software malpractice suits, and stricter adherence to industry and government regulations."

Professionals who meet qualification and experience requirements can apply for the first CSSLP programme until the end of March. The first exam is scheduled for the end of June 2009.

(ISC)2 said first CSSLP holders will be asked to contribute to the examination process and assist in other aspects of programme development.

Read more on Hackers and cybercrime prevention