Programmers get their own 'code'
- By Wilson P. Dizard III
- Nov 15, 2007
As hackers and government-sponsored computer attacks increasingly target vulnerable Web applications, rather than the world's much-hardened operating systems, the managers of application security programs within large enterprises have unveiled the first of a planned series of guides to establish a minimum standard of care for secure online programming.
The 'Essential Skills Series' issued by the Secure Programming Council is a sign of intense interest on behalf of software consumers and producers in assuring that their programmers avoid mistakes that hackers and online national espionage agencies can exploit to steal information and money, extort funds from enterprises, appropriate and sell personal identifying information and cause other harm.
The council, which relies on the cooperation of 40 enterprises' application security groups, today unveiled its first draft consensus document, titled Essential Skills for Secure Programmers Using Java/J2EE. The council plans to seek comments on the draft and incorporate them as appropriate.
The council stated that work already is under way for similar documents that will cover C, .NET languages, and PHP and PERL.
The documents are designed to help their users 'ensure that the people who write their applications, whether in-house, outsourced or at commercial software companies, can demonstrate that they have mastered secure programming. When combined with an effective secure development life cycle, such skills can be enormously valuable in making applications that can be trusted.'
The document is organized by the security-related tasks that programmers perform regularly because knowledge and skills are essential only in the context of tasks that programmers must complete, the council said.
The council also has helped create a group of tests to measure programmers' understanding of the essential skills, and plans to administer tests in London on Dec. 5 and in Washington on Dec. 12. The test series will be extended to 15 other cities in the United States and Europe over the next eight months.
'Parallel examinations are also available for online administration inside large organizations,' the council said.
More information about the tests is available at www.sans.org/gssp
The leaders of many major organizations have called for comparable methods to identify programmers who use good security practices, as well as secure online applications. But sources in the software community have said the drive for education on secure application software practices was delayed by universities' resistance to incorporating the topics in their curricula.