SANS to Offer Certification for Security Software Programmers

A coalition of major technology users and vendors organized by the SANS Institute announced Monday what it called a first-of-its-kind testing and certification program for software programmers.

The new examinations are designed to enable reliable measurements of technical proficiency and expertise in identifying and correcting the common programming errors that lead to security vulnerabilities, according to the SANS Institute.

"A major revolution in software coding is needed," Alan Paller, director of research for the SANS Institute, told TechNewsWorld and other participants in a telephone press conference from Washington, D.C.

The first pilot test for a select group of 100 will be held on Aug. 15 in Washington, D.C., he said. Additional tests will be administered through the remainder of 2007.

"Organized crime groups have turned their attention to computer-based crimes and are increasingly attacking weaknesses in applications, raising the value of secure coding skills. This assessment and certification program will help programmers learn what they don't know and help organizations identify programmers who have solid security skills," said Paller.

The right skills will enable programmers to reduce the security risks caused by cyberattacks. "The certification will allow security-aware programmers to stand out in an increasingly competitive marketplace," he said.

Testing Parameters

The test will cover coding skills in four programming languages: C/C++, Java/J2EE, Perl/PHP and .NET/ASP.

The test will be written in a way that will prevent programmers taking it from finding the answers in a book, according to Paller. Three separate reviewers must approve each question before it is used on the exam.

Participating colleges and universities will proctor the exams. The results will be issued with both a pass/fail designation as well as the actual score achieved. Three different test versions will be used to prevent question leakage, Paller noted.

"Some questions are very hard, so getting a high score gives bragging rights," said Paller. "The test will serve as a blueprint so that every college and university in the world that teach programming will have the same rules."

The tests will be designed to measure programmers' skills in avoiding three types of coding errors. One is not checking for proper parameters. A second is code that causes buffer overflows.

The third is not checking for integers software users could enter that the program itself is unable to handle. That third coding error is a major factor in enabling adware and spyware installations.

Looking for Holes

The examinations provide programming professionals with a focused approach to identify the gaps in their secure coding skills and knowledge, explained the SANS Institute.

In addition, the examinations will enable employers to increase their competitive advantage by employing programming professionals who have successfully demonstrated their technical secure programming skills via certification.

A review of more than 7,000 security vulnerabilities in 2006 alone revealed that most of them could be found very easily using techniques that require very little expertise, according to MITRE's Steve Christey, editor of the CVE program that monitors all security vulnerabilities on behalf of the federal government. He said that assessment justifies the need for the programmer certification program.

"In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining and, finally, acceptance," he said.

Better Solutions Sought

Seventy percent of all Web sites have cross-site scripting vulnerabilities, stated Michael Sutton, security evangelist at SPI Dynamics.

Hackers engage in cross-site scripting by using forms on a Web site that users fill with personal information. This cross-site format can be used to hide malicious JavaScript code.

"We have to involve others in the software development life cycle in order to solve this problem," said Sutton.

Security experts participating in the SANS Institute conference said they supported the efforts to establish tough programmer testing and certifications.

"There is nothing better for us than educated developers," said Brian Chess, chief scientist at security firm Fortify Software. "Even good spellers should use a spell checker when they write," he added in explaining the need for programmers to use basic tools to ensure the accuracy of their coding.

Innovative Action

The programmer testing and certification program spearheaded by the SANS Institute has great potential but must first be proven effective, Paller warned.

Nobody has yet committed to accepting the certification until they know it is good, he stressed. However, 320 organizations such as universities and colleges that teach programming said they will use it, he added.

"No one else is testing and certifying coding skills with the approach we are proposing. But some 15 to 20 companies are already doing their own testing [of programmers they hire]," he explained. "But no one is doing certifying of programming skills in coding."