Software developers to get a standardized security test
Friday, December 14, 2007 12:35 PM
Test is designed to help organizations ensure that their programmers have sufficient knowledge about wrapping security into software applications.
A standardized test programmers' knowledge of secure programming may soon be coming their way.
The Secure Programming Council unveiled Tuesday a proposed standard for companies to test their software developers' knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base level of knowledge about wrapping security into software applications.
The council is rolling out its "Essential Skills for Secure Programmers Using Java/JavaEE" (PDF), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.
The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days.
Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.
The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council's Java and JavaEE steering committee.
More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.
"One large financial institution has told its developers that they had to pass the test by August 1, or they won't touch a line of code," Paller said. "The financial industry is taking the lead because they have the most to lose."
SANS will administer the tests, which are scheduled to begin Dec. 5 in London and continue for the next eight months in cities through out the United States and Europe.
The tests will cost between US$50 and US$450 for participants ranging from students to employees of large corporations.
This article was originally a blog post on CNET News.com.
» Achieve enhanced server performance with energy-efficient blade technology
There are currently no comments for this post.