This fall, the center will begin rolling out its first-ever exams designed to test the security skill sets of those responsible for building software, particularly web applications. The four exams will each cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP.
But the real goal of the initiative, known as the SANS Software Security Institute, is to encourage colleges to include secure code development as part of their curriculum, says Alan Paller, SANS’ director of research. SANS has no plans to offer exam-specific courses, he says, so test-takers should rely on instruction through higher education or commercial training facilities, such as Security University, which has been offering secure coding classes for seven years.
“This is the first time we’ve ever offered a certification where we don’t have a course,” he says. “People should teach this stuff in-house or at colleges. There’s 1.5 million people who need to get up to speed quickly.”
Traditionally, the main job requirement for programmers is to push out applications, not to worry about security risks, experts say. But this mindset could lead to crippled networks and valuable information disclosure, they warn.
“We’re finding that the [security] process is falling down when it comes to the application layer,” says Michael Sutton, security evangelist at SPI Dynamics, who is helping SANS to create the 90-question exams.
Becky Thurmond Fowler, systems security analyst of IT at the University of Missouri in Columbia, says her department is anxious to assist professors to include secure programming instruction in their courses. She is also helping to write test questions for SANS.
Industry experts say that if it is successful, it not only will take some of the burden off the security team inside companies, but also lead to assurance and trust among buyers.
“I think the developers have simply not been taught about security,” Sutton says. “I think they’re anxious to learn.”
— Dan Kaplan