03:22 PM
Connect Directly

Coalition Aims To Nip Software Bugs In The Bud

A group of security professionals and software manufacturers is teaming up to focus on programmers writing secure code and nixing bugs before they ever make it in.

The SANS Institute is teaming up with security industry heavyweights to stop the proliferation of software bugs at the source -- the code.

The coalition of security professionals, software manufacturers, non-profit groups, and the SANS Software Security Institute are offering the first skills assessment and certification exams to test programmers on their secure coding skills. If they pass their exams, the programmers could earn GIAC Secure Software Programmer status.

There will be four examinations, according to a release from the SANS Institute. Each test will cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP. They all are designed to measure technical proficiency in identifying and correcting common programming errors that lead to security vulnerabilities. SANS announced that the exams will be administered in August in Washington D.C. on a pilot program, and then will roll out worldwide through the rest of the year.

"Organized crime groups have turned their attention to computer-based crimes and are increasingly attacking weaknesses in applications, raising the value of secure coding skills," said Alan Paller, director of research at the SANS Institute, in a written statement. "This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills. With the right skills, programmers can reduce the risk of losses caused by cyber attacks, and the certification will allow security-aware programmers to stand out in an increasingly competitive marketplace."

Steve Christey, editor of the CVE program at MITRE Corp., a not-for-profit IT research and development center, said that when it comes to security, the software industry is in a sorry state of affairs.

"After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear," said Christey in a written statement. "Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance."

He added that most colleges and universities don't teach programmers how to write secure code.

"There needs to be a revolution," he said. "Secure programming examinations will help everyone draw the line in the sand, to say 'No more,' and to set minimum expectations for the everyday developer."

The coalition includes Symantec Corp., Juniper, Siemens, Tata Group, Fortify Software, Tipping Point and Virginia Tech.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.