Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Programming Exams Launched

Posted by kdawson on from the overflowing-with-knowledge dept.

An anonymous reader writes "The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says 'This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills.' The pilot exam will be held in Washington DC in August, followed by a global rollout."

8 of 85 comments (clear)

  1. If only by vivaoporto · · Score: 3, Insightful

    If only programmers had time enough to evaluate the code they written, and every now and then to refactor some parts. Every coder with a tight schedule will write anything that gets the manager ready-to-production-rubber-stamp and, if it turns out that it has a vulnerability, by the time it gets discovered either it is up to the maintenance team to fix or a new version of the software will already be out, so no fix will be necessary.

    Big. On schedule. Bugless. Pick 2.

  2. Re:Question by Nerdfest · · Score: 3, Insightful

    Do some work for an a business involving online purchasing, and ask your client their opinion.

  3. Re:Question by tecie · · Score: 4, Insightful

    Extremely important.Nobody looks good when their information is hacked. The main difference between the government and a corporation is a corporation can lose customers and die rather quickly.

  4. Re:Question by Anonymous Coward · · Score: 1, Insightful

    Exactly. It's probably possible to find ways of making virtually anything "more secure". Generally security isn't my number 1 priority when developing applications, but then I'm not developing anything mission critical or handling extremely sensitive data. I know some people on here will always say they do put security first, but how many people truly think of how secure something is after completing it? Not many that I know of - it's usually a case of getting something done by a deadline and that's that.

  5. Important by MathFox · · Score: 3, Insightful

    Security is important: there's confidentiality that should be protected (think credit card numbers and other ID theft); systems should be available (downtime of a webshop or adserver costs revenue) but most important integrety of systems and data should be OK. Consider what happens when people break into a bank and start transfering money from random accounts. (People defacing webservers are small fry in this category.)

    --
    extern warranty;
    main()
    {
    (void)warranty;
    }
  6. There is no language named C/C++ ! by chrism238 · · Score: 3, Insightful

    How long will it take employers, head-hunters, and even some technical people, to realise this?

  7. The Slow Move Toward Software Assurance by Coryoth · · Score: 2, Insightful

    Slowly, but surely, security of software is becoming more if an issue. That doesn't mean writing perfectly secure software -- but it does mean closing up some of the glaring holes. As this article points out, a ridiculously large amount of security flaws in web applications come down to failing to do very basic things like failing to do adequate input validation/filtering, which leaves you open to SQL injection, XSS attacks and all manner of other nastiness. Expecting perfect code for simple things like web apps is unreasonable. On the other hand, if we can educate more programmers on basic techniques for handling these very common sorts of errors then things will undoubtedly improve significantly on the security front. Ultimately we are moving toward software assurance, where developers provide certain assurances about their software to let clients know what they can expect. It's not a matter of assuring perfection, it's being able to state clearly what aspects you can be confident of. Being able to say that all user input gets filtered through specific validation and filtering function, for instance, is an example of assurance. That doesn't mean the filtering function is perfect, but guaranteeing that all input goes through it is a start - if you want to provide assurance of stronger security then you might provide assurances as to what types of attacks the filtering function will prevent, and so on. As security becomes more important, providing such assurance offers in contracts will be increasiongly valuable.

    --
    Craft Beer Programming T-shirts
  8. If security catches on by HomelessInLaJolla · · Score: 2, Insightful

    We may start to see where zero day exploits really originate (implication: within the mother company). We may begin to see how much personal information is truly being gathered (implication: as much as possible). We may realize how long illegal domestic wiretaps have really been going on (implication: at least as long as the technology has been available).

    In all actuality I see a certification like this to be good at heart to begin with but, give another five years, and it will become a method to ensure that programmers only make mistakes in predictable ways--and then everything will proceed as it currently is.

    --
    the NPG electrode was replaced with carbon blac