Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Programming Exams Launched

Posted by kdawson on from the overflowing-with-knowledge dept.

An anonymous reader writes "The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says 'This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills.' The pilot exam will be held in Washington DC in August, followed by a global rollout."

14 of 85 comments (clear)

  1. If only by vivaoporto · · Score: 3, Insightful

    If only programmers had time enough to evaluate the code they written, and every now and then to refactor some parts. Every coder with a tight schedule will write anything that gets the manager ready-to-production-rubber-stamp and, if it turns out that it has a vulnerability, by the time it gets discovered either it is up to the maintenance team to fix or a new version of the software will already be out, so no fix will be necessary.

    Big. On schedule. Bugless. Pick 2.

    1. Re:If only by Big+Boss · · Score: 3, Funny

      One "Hello World" coming right up!

    2. Re:If only by jd3nn1s · · Score: 2, Informative

      I think this misses the point. Common vulnerability types could be avoided with a little education on how they actually work. By understanding how vulnerabilities come about would allow programmers to avoid creating instances of them in the first place.

      If you monitor the bugtraq list you can see that the vast majority of reported vulnerabilities are XSS and SQL injections in web apps. Most of these can be easily avoided if you know how they occur.

      This would mean less time needed for reviews as the code would be more secure in the first place.

    3. Re:If only by ciaohound · · Score: 3, Informative

      It is a management problem, absolutely. But it is also a matter of having seasoned lead developers. A project or program manager per se may not have the technical background to make sure the schedule includes security testing, but his lead developer can explain why it needs to be there.

      --
      Oh, yeah, it's not easy to pad these out to 120 characters.
  2. Re:Question by Nerdfest · · Score: 3, Insightful

    Do some work for an a business involving online purchasing, and ask your client their opinion.

  3. Re:Question by tecie · · Score: 4, Insightful

    Extremely important.Nobody looks good when their information is hacked. The main difference between the government and a corporation is a corporation can lose customers and die rather quickly.

  4. Important by MathFox · · Score: 3, Insightful

    Security is important: there's confidentiality that should be protected (think credit card numbers and other ID theft); systems should be available (downtime of a webshop or adserver costs revenue) but most important integrety of systems and data should be OK. Consider what happens when people break into a bank and start transfering money from random accounts. (People defacing webservers are small fry in this category.)

    --
    extern warranty;
    main()
    {
    (void)warranty;
    }
  5. and in the spirit of computer security... by 192939495969798999 · · Score: 4, Funny

    can we expect to see the answer keys posted to about 100 .ru sites in a week?

    --
    stuff |
  6. There is no language named C/C++ ! by chrism238 · · Score: 3, Insightful

    How long will it take employers, head-hunters, and even some technical people, to realise this?

    1. Re:There is no language named C/C++ ! by happyfrogcow · · Score: 2, Funny

      That depends. How long will it take forum posters to realize that "/" is often used as abbreviation for "and" and "or"?

      I've been wondering the same thing here on AndDot for some time now. Or is that OrDot?

    2. Re:There is no language named C/C++ ! by Anonymous+Brave+Guy · · Score: 2, Informative

      It is ironic that the parent post is modded off-topic. If you read the C and C++ newsgroups, you will soon discover that many regulars dislike the term "C/C++". It is ambiguous, and often used (deliberately or inadvertently) by those who don't understand the differences between the languages to hide their lack of knowledge.

      The SANS sample test here is guilty of exactly that crime, demonstrating a fundamental lack of understanding of the differences between how you program in C and how you do it in C++ if you want to write software as secure as possible. Thus the term "C/C++" carries its usual significance to those in the on-line C and C++ communities: it is a warning flag that the person using it probably doesn't know what they're talking about.

      And why would we value any qualification awarded by a group who don't know what they're talking about?

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  7. The Slow Move Toward Software Assurance by Coryoth · · Score: 2, Insightful

    Slowly, but surely, security of software is becoming more if an issue. That doesn't mean writing perfectly secure software -- but it does mean closing up some of the glaring holes. As this article points out, a ridiculously large amount of security flaws in web applications come down to failing to do very basic things like failing to do adequate input validation/filtering, which leaves you open to SQL injection, XSS attacks and all manner of other nastiness. Expecting perfect code for simple things like web apps is unreasonable. On the other hand, if we can educate more programmers on basic techniques for handling these very common sorts of errors then things will undoubtedly improve significantly on the security front. Ultimately we are moving toward software assurance, where developers provide certain assurances about their software to let clients know what they can expect. It's not a matter of assuring perfection, it's being able to state clearly what aspects you can be confident of. Being able to say that all user input gets filtered through specific validation and filtering function, for instance, is an example of assurance. That doesn't mean the filtering function is perfect, but guaranteeing that all input goes through it is a start - if you want to provide assurance of stronger security then you might provide assurances as to what types of attacks the filtering function will prevent, and so on. As security becomes more important, providing such assurance offers in contracts will be increasiongly valuable.

    --
    Craft Beer Programming T-shirts
  8. Not impressed by Anonymous Coward · · Score: 5, Interesting

    I took the sample "C/C++" exam, making a point to respond quickly and not to consult any references (something I'd never do when actually programming) and I have to say I was singularly unimpressed. The emphasis wasn't on trying to teach good programming practices but rather on trying to fool the person taking the exam with tricky questions that have little if any relevance in actual programming.

    For example, one question was basically making the point that sizeof is a compile time thing that cannot be used to, say, determine the size of a string buffer passed through a char * parameter. But rather than present the question in a straightforward fashion, they has this business of dividing one sizeof value by another - completely unnecessary and confusing. I got the question right but I could just as easily missed it because of the unnecessary complexity and still understood the underlying concept.

    One I did miss (I got 8 out of 10 right, I think) was one about how to declare a pointer to a array of constant strings. The question was phrased so awkwardly that I got confused as to what theyactually wanted and gave the wrong answer even though I know how to get the effect they want.

    I was also unimpressed that there was no feedback given as to why a given answer was correct or incorrect. No feedback is arguably fine if the intent is purely to assess skill levels, but the stated intent is that this "will help programmers learn what they don't know". You can't do that unless you also explain why a given answer is wrong. Perhaps this is merely an artifact of the sample exams, but if so the samples aren't very interesting.

    If this sample exam is in any way representative I think there's a lot more work to be done before this will actually be useful.

  9. If security catches on by HomelessInLaJolla · · Score: 2, Insightful

    We may start to see where zero day exploits really originate (implication: within the mother company). We may begin to see how much personal information is truly being gathered (implication: as much as possible). We may realize how long illegal domestic wiretaps have really been going on (implication: at least as long as the technology has been available).

    In all actuality I see a certification like this to be good at heart to begin with but, give another five years, and it will become a method to ensure that programmers only make mistakes in predictable ways--and then everything will proceed as it currently is.

    --
    the NPG electrode was replaced with carbon blac