The Secure Programming Council unveiled a proposed standard for companies to test their software developer’s knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base
level of knowledge about wrapping security into software applications.
The council is rolling out its “Essential Skills for Secure Programmers Using Java/JavaEE” (pdf), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.
The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days. Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.
The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council’s Java and JavaEE steering committee.
More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.
“One large financial institution has told its developers that they had to pass the test by August 1, or they won’t touch a line of code,” Paller said. “The financial industry is taking the lead because they have the most to lose.”
SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe. Where the admission fee will be between $50 and $450, for participants ranging from students to employees of large corporations.
I must say that I can only applaud such an effort. Security shouldn’t be considered a “nice-to-have”, but a “must-have” within the development cylcle.
Check out GSSP @ Sans