Slashdot Mirror
Secure Programming Exams Launched
An anonymous reader writes "The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says 'This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills.' The pilot exam will be held in Washington DC in August, followed by a global rollout."
If only programmers had time enough to evaluate the code they written, and every now and then to refactor some parts. Every coder with a tight schedule will write anything that gets the manager ready-to-production-rubber-stamp and, if it turns out that it has a vulnerability, by the time it gets discovered either it is up to the maintenance team to fix or a new version of the software will already be out, so no fix will be necessary.
Big. On schedule. Bugless. Pick 2.
Do some work for an a business involving online purchasing, and ask your client their opinion.
Extremely important.Nobody looks good when their information is hacked. The main difference between the government and a corporation is a corporation can lose customers and die rather quickly.
Security is important: there's confidentiality that should be protected (think credit card numbers and other ID theft); systems should be available (downtime of a webshop or adserver costs revenue) but most important integrety of systems and data should be OK. Consider what happens when people break into a bank and start transfering money from random accounts. (People defacing webservers are small fry in this category.)
extern warranty;
main()
{
(void)warranty;
}
can we expect to see the answer keys posted to about 100 .ru sites in a week?
stuff |
How long will it take employers, head-hunters, and even some technical people, to realise this?
I took the sample "C/C++" exam, making a point to respond quickly and not to consult any references (something I'd never do when actually programming) and I have to say I was singularly unimpressed. The emphasis wasn't on trying to teach good programming practices but rather on trying to fool the person taking the exam with tricky questions that have little if any relevance in actual programming.
For example, one question was basically making the point that sizeof is a compile time thing that cannot be used to, say, determine the size of a string buffer passed through a char * parameter. But rather than present the question in a straightforward fashion, they has this business of dividing one sizeof value by another - completely unnecessary and confusing. I got the question right but I could just as easily missed it because of the unnecessary complexity and still understood the underlying concept.
One I did miss (I got 8 out of 10 right, I think) was one about how to declare a pointer to a array of constant strings. The question was phrased so awkwardly that I got confused as to what theyactually wanted and gave the wrong answer even though I know how to get the effect they want.
I was also unimpressed that there was no feedback given as to why a given answer was correct or incorrect. No feedback is arguably fine if the intent is purely to assess skill levels, but the stated intent is that this "will help programmers learn what they don't know". You can't do that unless you also explain why a given answer is wrong. Perhaps this is merely an artifact of the sample exams, but if so the samples aren't very interesting.
If this sample exam is in any way representative I think there's a lot more work to be done before this will actually be useful.