Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Programming Exams Launched

Posted by kdawson on from the overflowing-with-knowledge dept.

An anonymous reader writes "The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says 'This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills.' The pilot exam will be held in Washington DC in August, followed by a global rollout."

3 of 85 comments (clear)

  1. Re:If only by jd3nn1s · · Score: 2, Informative

    I think this misses the point. Common vulnerability types could be avoided with a little education on how they actually work. By understanding how vulnerabilities come about would allow programmers to avoid creating instances of them in the first place.

    If you monitor the bugtraq list you can see that the vast majority of reported vulnerabilities are XSS and SQL injections in web apps. Most of these can be easily avoided if you know how they occur.

    This would mean less time needed for reviews as the code would be more secure in the first place.

  2. Re:If only by ciaohound · · Score: 3, Informative

    It is a management problem, absolutely. But it is also a matter of having seasoned lead developers. A project or program manager per se may not have the technical background to make sure the schedule includes security testing, but his lead developer can explain why it needs to be there.

    --
    Oh, yeah, it's not easy to pad these out to 120 characters.
  3. Re:There is no language named C/C++ ! by Anonymous+Brave+Guy · · Score: 2, Informative

    It is ironic that the parent post is modded off-topic. If you read the C and C++ newsgroups, you will soon discover that many regulars dislike the term "C/C++". It is ambiguous, and often used (deliberately or inadvertently) by those who don't understand the differences between the languages to hide their lack of knowledge.

    The SANS sample test here is guilty of exactly that crime, demonstrating a fundamental lack of understanding of the differences between how you program in C and how you do it in C++ if you want to write software as secure as possible. Thus the term "C/C++" carries its usual significance to those in the on-line C and C++ communities: it is a warning flag that the person using it probably doesn't know what they're talking about.

    And why would we value any qualification awarded by a group who don't know what they're talking about?

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.