Secure Code Certification Project Announced

A coalition of technology users and vendors has announced what it claims is the first skills assessment and certification examinations for software developers to test their secure coding skills, find the gaps, and, if they choose, gain GIAC Secure Software Programmer (GSSP) status.

Organized by the SANS Institute, the Secure Programming Skills Assessement project tests secure coding skills in C/C++, Java/J2EE, Perl/PHP, and .NET/ASP. The tests are designed to enable reliable measurements of technical proficiency and expertise in identifying and correcting the common programming errors that lead to security vulnerabilities.

The project has six specific goals:

• Let employers rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them.
• Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.
• Let programmers identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.
• Let employers evaluate job candidates and potential consultants on their secure programming skills and knowledge.
• Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses.
• Provide reporting to let individuals and organizations compare their skills against others in their industry, with similar education or experience or in similar regions around the world.

The exams will be administered in August in Washington DC on a pilot basis, then will roll out worldwide through the remainder of
2007.

Study guides and practice tests are available at the project web site. If you're involved in writing secure code, this is a project you ought to take a look at.

Posted by Jon Erickson at 04:03 PM  Permalink