(ISC)2 promotes secure SDLC with 1000th CSSLP

(ISC)2 wants its CSSLP certification, focusing on secure software development, to help augment enterprises' secure SDLC programs.

Three years after the launch of its Certified Secure Software Lifecycle Professional (CSSLP) accreditation, the International Information Systems Security Certification Consortium, better known as (ISC)2, said more than 1,000 security professionals have now been certified.

The accreditation was launched in September 2008 to meet the growing challenge of hackers attacking Web applications, exploiting common vulnerabilities and using such techniques as SQL injection and cross-site scripting. Its aim is to make security a higher priority among software developers, and to ensure security is incorporated into the whole software development life cycle (SDLC).

CSSLP certifications
The CSSLP curriculum covers seven main domains (see 'Seven domains of the CSSLP') of secure SDLC, from project management through secure testing. Most holders (776) of the certificate are based in the US and Canada, while there are 134 in the EMEA region, 105 in Asia and two in Japan.

There is an expectation that software will be delivered right the
first time, especially
if you
are delivering
to mobile

Alessandro Moretti

“People are becoming very concerned about application security, and software designers and software developers know there is no room for error now,” said Alessandro Moretti, an (ISC)2 board member and senior executive in the financial services sector in London. “There is an expectation that software will be delivered right the first time, especially if you are delivering to mobile platforms.”

He said although the certification has not yet become a prerequisite in most advertisements for jobs, it is starting to be recognised in some sectors, such as financial services, where regulators are pushing for more secure application development practices.

“Within the finance industry, if someone comes along with the CSSLP accreditation, it helps in the interview process, and at the competency assessment stage,” Moretti said. “Reaching the 1,000 mark is a major milestone. These things can be slow to take off, but once you get a solid base, the impetus starts to build. There is great demand for good, secure software, and that is why the CSSLP is gathering force.”

Results from the recent 2011 (ISC)2 Global Security Information Workforce Study, which polled opinions from more than 10,000 (ISC)2 members worldwide, showed application vulnerabilities were rated as the No. 1 threat to organisations, followed by the threats posed by mobile devices.

Moretti said holders of the CSLLP certificate could save money for their employers by building in security at all stages of development. “By designing security into the software development life cycle, developers stop making mistakes that will cause problems in the testing phase,” he said.  They understand how to deliver secure code, and reuse secure code, so the quality is embedded into the process. That is one of the benefits of a secure SDLC process.”

Increased need for secure application development
Application and mobile threats are now combining with the explosion of mobile apps in the last three years, which are creating new challenges to developers and exposing users to new dangers. According to the MobiThinking statistics website, there are 300,000 mobile apps that have been downloaded nearly 11 billion times, and those figures are predicted to rise even more sharply.

At the same time, whilst users of PCs have learned over the years to be careful about what files they open or websites they go to, smartphone users tend to be more trusting. As a recent survey by antimalware company ESET found, 31% of consumers were unaware hackers are targeting smartphones, 58% regularly opened email attachments on their phone, and 21% used their phone for Internet banking.

“It’s like going back to the 1990s, with people running attachments straight from the Internet on applications built of untrusted code,” said Chris Eng, VP of research for Burlington, Mass.-based application code testing company Veracode Inc. “Companies are producing or commissioning apps for their own people, and we have corporate and personal data cohabiting on the same device.”

He said smartphone apps were subject to the same vulnerabilities as traditional Web applications, as well as new dangers, such as location tracking, and diaing out to premium rate numbers. But Moretti said the CSSLP accreditation should allow security professionals to manage software better, “not just in our own developments, but with our vendors.”

Read more on Security policy and user awareness