The movement to create secure software received a boost with the launch of a new certification from (ISC)2, a nonprofit leader in educating and certifying information security professionals.
The certification, called the Certified Secure Software Lifecycle Professional (CSSLP), is designed to validate secure software development practices and build expertise to address the increasing number of application vulnerabilities.
The certification program takes a holistic approach to software security. It is code-language neutral, and applicable to anyone involved in software lifecycles. It's designed for non-technical staffers such as software architects, project managers, analysts, quality assurance testers, etc., to help eliminate code vulnerable to hacker attacks.
In a statement, Howard Schmidt, security strategist for (ISC)2, said: "All too often, security is bolted on at the end of the software lifecycle as a response to a threat or after an exposure. New applications that lack basic security controls are being developed every day, and thousands of existing vulnerabilities are being ignored."
"The CSSLP will be a key component in better critical infrastructure protection, reducing the risk of software malpractice suits and enabling stricter adherence to industry and government regulations," added W. Hord Tipton, executive director for (ISC)2.
Subject areas covered by the CSSLP exam include the software lifecycle, vulnerabilities, risk, information security fundamentals and compliance.
The seven domains of the CSSLP compendium of secure software topics are:
- Secure Software Concepts
- Secure Software Requirements
- Secure Software Design
- Secure Software Implementation/Coding
- Secure Software Testing
- Software Acceptance
- Software Deployment, Operations, Maintenance and Disposal
The first CSSLP exam is scheduled for the end of June in 2009.