Slashdot Mirror
Secure Programming Exams Launched
An anonymous reader writes "The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says 'This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills.' The pilot exam will be held in Washington DC in August, followed by a global rollout."
How important is security in non gov. applications? I'm a developer and I don't know shit about security to be honest.
If only programmers had time enough to evaluate the code they written, and every now and then to refactor some parts. Every coder with a tight schedule will write anything that gets the manager ready-to-production-rubber-stamp and, if it turns out that it has a vulnerability, by the time it gets discovered either it is up to the maintenance team to fix or a new version of the software will already be out, so no fix will be necessary.
Big. On schedule. Bugless. Pick 2.
Security is important: there's confidentiality that should be protected (think credit card numbers and other ID theft); systems should be available (downtime of a webshop or adserver costs revenue) but most important integrety of systems and data should be OK. Consider what happens when people break into a bank and start transfering money from random accounts. (People defacing webservers are small fry in this category.)
extern warranty;
main()
{
(void)warranty;
}
I first read it as "Secure (Programming Exams)" instead of "(Secure Programming) Exams"
no VB =(
can we expect to see the answer keys posted to about 100 .ru sites in a week?
stuff |
Am I the only one who can't create an account there? It keeps complaining about the password not being long enough.
WTF? "flub"? Not in my book. It seems that there is a difference of opinion on a few ideas. First - what is a programmer? And also - what is a flub? Do programmers catch flubs or, alternatively, do flubs catch programmers?
Here I am, sitting in my cube, pole in hand. "Whatcha doin, Joe?" "I'm goin' flubbin' today." "Catch any?" "No, but you shudda seen the one that got away."
RUBBER TIRES NEVER BREAK
We noticed
How long will it take employers, head-hunters, and even some technical people, to realise this?
the answers for these exams will be on testking and other cheat sites. which will be great as it will then enable thousands of coders to be certified to write secure code, and we'll never have insecure code again. Soon the SAN SW Security Institute can make exams for bug-free code and perfect IT architecture. I'll get all those certs so everything I do will be perfect.
Slowly, but surely, security of software is becoming more if an issue. That doesn't mean writing perfectly secure software -- but it does mean closing up some of the glaring holes. As this article points out, a ridiculously large amount of security flaws in web applications come down to failing to do very basic things like failing to do adequate input validation/filtering, which leaves you open to SQL injection, XSS attacks and all manner of other nastiness. Expecting perfect code for simple things like web apps is unreasonable. On the other hand, if we can educate more programmers on basic techniques for handling these very common sorts of errors then things will undoubtedly improve significantly on the security front. Ultimately we are moving toward software assurance, where developers provide certain assurances about their software to let clients know what they can expect. It's not a matter of assuring perfection, it's being able to state clearly what aspects you can be confident of. Being able to say that all user input gets filtered through specific validation and filtering function, for instance, is an example of assurance. That doesn't mean the filtering function is perfect, but guaranteeing that all input goes through it is a start - if you want to provide assurance of stronger security then you might provide assurances as to what types of attacks the filtering function will prevent, and so on. As security becomes more important, providing such assurance offers in contracts will be increasiongly valuable.
Craft Beer Programming T-shirts
Security is a very fast paced field with new exploits coming out all the time. Are we going to require a refresher class every couple months to keep this cert?
;)) making it counter productive in the long run. People are lazy after all and I know for a fact that only a handful of people I graduated with are keeping there knowledge up to date.
I really think that things like this, although well intentioned and not a bad idea, will lull corps into a false sense of security (no pun intended
So, I predict in the future that we'll have a lot of people with this cert that'll have no clue because it has been so long since they got this cert.
I took the sample "C/C++" exam, making a point to respond quickly and not to consult any references (something I'd never do when actually programming) and I have to say I was singularly unimpressed. The emphasis wasn't on trying to teach good programming practices but rather on trying to fool the person taking the exam with tricky questions that have little if any relevance in actual programming.
For example, one question was basically making the point that sizeof is a compile time thing that cannot be used to, say, determine the size of a string buffer passed through a char * parameter. But rather than present the question in a straightforward fashion, they has this business of dividing one sizeof value by another - completely unnecessary and confusing. I got the question right but I could just as easily missed it because of the unnecessary complexity and still understood the underlying concept.
One I did miss (I got 8 out of 10 right, I think) was one about how to declare a pointer to a array of constant strings. The question was phrased so awkwardly that I got confused as to what theyactually wanted and gave the wrong answer even though I know how to get the effect they want.
I was also unimpressed that there was no feedback given as to why a given answer was correct or incorrect. No feedback is arguably fine if the intent is purely to assess skill levels, but the stated intent is that this "will help programmers learn what they don't know". You can't do that unless you also explain why a given answer is wrong. Perhaps this is merely an artifact of the sample exams, but if so the samples aren't very interesting.
If this sample exam is in any way representative I think there's a lot more work to be done before this will actually be useful.
We may start to see where zero day exploits really originate (implication: within the mother company). We may begin to see how much personal information is truly being gathered (implication: as much as possible). We may realize how long illegal domestic wiretaps have really been going on (implication: at least as long as the technology has been available).
In all actuality I see a certification like this to be good at heart to begin with but, give another five years, and it will become a method to ensure that programmers only make mistakes in predictable ways--and then everything will proceed as it currently is.
the NPG electrode was replaced with carbon blac
They're worried about security, alright. If it's too open then outsiders can begin exploiting them. If it's too closed then they might get caught passing insider trading information. Security is one of those "just right" things in the eyes of big business.
the NPG electrode was replaced with carbon blac
I agree. They have BrainBench syndrome: they take it upon themselves to judge others, yet clearly don't understand much of the subject themselves. You can tell this from the way the "C/C++" exam (as if security concerns are even close to the same in those two languages) focusses pretty much entirely on C library functions that most security-conscious programmers would avoid entirely, with a random concurrency question at the end. Strangely, it doesn't even reference ideas like using containers rather than raw strings/arrays in C++, avoiding fixed-size buffers and magic numbers in the first place, and other routine programming practices.
For the record, I scored only 7/10 according to them. This is odd, considering my experience. (I could name drop and list qualifications, but you can't verify them anyway, so for the sake of this discussion, let's assume that I'm technically competent and none of the answers I gave was actually wrong given my understanding of the question.)
The sample assessment report (PDF) that gives some headings for a C/C++ test is not reassuring, either.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
... there is a buffer overflow vulnerability on question #9.
-m
program for testing whether programmers know how to write secure code
/., running in a bullet-proof VM on a Unix OS.
Good programmers may even know, before that, how too choose platform/technologies that are inherently more secure than others. I'm certainly not saying that this fix all security issues (it doesn't), but it is a good start.
For example, I'd be less likely to trust a Webapp written in PHP running on a Windows OS than a Webapp written in a language I won't name on
Funnily enough most major customer banks (all?) have the same preference as I do. Mod me as a troll if you wish, but I'm stating facts.
On another topic, it never cease to amaze me how programmers are keen to put passwords in plain-text in various database. More knowledgeable ones will go for a cryptographic hash of the password. This is of course still vulnerable to a dictionnary attack. In some case you'll even see some guys having some basic security knowledge, like what a 'salt' is. But of course most programmers have no clue what a 'salt' is. On the PKI side, you'd be amazed by the number of programmers who are completely unable to explain how a public/private key pair works. To them it simply looks like magic. They simply don't get it.
It's a really sad state of affair and things won't get better any time soon... At this point, when people are able to prevent "SQL injection attack" they think they know something about security. Woaw.
Vallllllllllldiiiiiiiisssssss!!!! The only person to post to more lists in one day than Gadi Evron!
Everything I needed to know about life, I learnt from Blake's Seven
An attacker browses to a website and receives a JSESSIONID without logging in. He then embeds that ID in a link and emails it to a victim. The victim clicks on the link and proceeds to login, using the JSESSIONID that is known by the attacker. The attacker can now masquerade as the victim.
Not that I disagree in general, but that sizeof idiom is one I use all the time to compute the number of elements in an array. The point of the question is that this doesn't work for arrays passed as arguments to a function.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
From the title I thought they were talking about preventing cheating on online exams... Unfortunately, since they're not, I doubt we'll be able to take the secure programming exam online securely any time soon.
Make the students write some app that must be put online, classmates then try to break others apps, score+=1 if you break someones elses score-=5 if someone breaks yours. After a given time students can no longer modify their code and is made viewable to all students and more points can be awarded or deducted for all holes that can be found in the code. If you have a positve score at the end, you pass.
AC
for secure programming. But that not unusual. In fact that seems to be the Zeitgeist.
./ article of mine on secure programming without me mention that Ada [2] is well suited for secure programming and since PHP was mentioned: How about using the Ada Web Server [3] for truly secure your web applications? Yes, it will take longer to program for the AWS then quickly hacking together a PHP application. But the bitter truth is: quick hacking and secure programming are mutually exclusive.
8 589&cid=18530047a ries/Web/AWS
Everybody speaks of secure programming but allays in combinations with unsuitable tools and programming languages.
Reminds me a bit about the Addams Family. Remember the part where Gomez tries to make huge loss of money. In the end he start a venture in Chocolate-Diet - something he things will never work as chocolate is completely unsuitable for diet purpose and his hope is that people won't fall for such a stupid idea - hence he is going to loose money on the venture.
Of course we now how it ended: Chocolate-Diet was a huge success! He made tons of extra cash. Because people love to go the easy way - even when it is blatantly clear that it won't work.
And the same here: Instead of going to the pains of learning a programming language and/or tools suitable for secure programming you just go or be send my management to take a silly test [1]. Only difference: Unlike Gomez Addams the "Software Security Institute" knows very well how people (and especially managers with little technical knowledge) work and that there "Chocolate-Diet" will bring in the cash.
Of course no
Martin
[1] http://developers.slashdot.org/comments.pl?sid=22
[2] http://en.wikibooks.org/wiki/Ada_Programming
[3] http://en.wikibooks.org/wiki/Ada_Programming/Libr