Coalition Aims To Nip Software Bugs In The Bud

Mar 26, 2007 (11:03 AM EDT)

Read the Original Article at

The SANS Institute is teaming up with security industry heavyweights to stop the proliferation of software bugs at the source -- the code.

The coalition of security professionals, software manufacturers, non-profit groups, and the SANS Software Security Institute are offering the first skills assessment and certification exams to test programmers on their secure coding skills. If they pass their exams, the programmers could earn GIAC Secure Software Programmer status.

There will be four examinations, according to a release from the SANS Institute. Each test will cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP. They all are designed to measure technical proficiency in identifying and correcting common programming errors that lead to security vulnerabilities. SANS announced that the exams will be administered in August in Washington D.C. on a pilot program, and then will roll out worldwide through the rest of the year.

"Organized crime groups have turned their attention to computer-based crimes and are increasingly attacking weaknesses in applications, raising the value of secure coding skills," said Alan Paller, director of research at the SANS Institute, in a written statement. "This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills. With the right skills, programmers can reduce the risk of losses caused by cyber attacks, and the certification will allow security-aware programmers to stand out in an increasingly competitive marketplace."

Steve Christey, editor of the CVE program at MITRE Corp., a not-for-profit IT research and development center, said that when it comes to security, the software industry is in a sorry state of affairs.

"After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear," said Christey in a written statement. "Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance."

He added that most colleges and universities don't teach programmers how to write secure code.

"There needs to be a revolution," he said. "Secure programming examinations will help everyone draw the line in the sand, to say 'No more,' and to set minimum expectations for the everyday developer."

The coalition includes Symantec Corp., Juniper, Siemens, Tata Group, Fortify Software, Tipping Point and Virginia Tech.