03:22 PM

Coalition Aims To Nip Software Bugs In The Bud

A group of security professionals and software manufacturers is teaming up to focus on programmers writing secure code and nixing bugs before they ever make it in.

The SANS Institute is teaming up with security industry heavyweights to stop the proliferation of software bugs at the source -- the code.

The coalition of security professionals, software manufacturers, non-profit groups, and the SANS Software Security Institute are offering the first skills assessment and certification exams to test programmers on their secure coding skills. If they pass their exams, the programmers could earn GIAC Secure Software Programmer status.

There will be four examinations, according to a release from the SANS Institute. Each test will cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP. They all are designed to measure technical proficiency in identifying and correcting common programming errors that lead to security vulnerabilities. SANS announced that the exams will be administered in August in Washington D.C. on a pilot program, and then will roll out worldwide through the rest of the year.

"Organized crime groups have turned their attention to computer-based crimes and are increasingly attacking weaknesses in applications, raising the value of secure coding skills," said Alan Paller, director of research at the SANS Institute, in a written statement. "This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills. With the right skills, programmers can reduce the risk of losses caused by cyber attacks, and the certification will allow security-aware programmers to stand out in an increasingly competitive marketplace."

Steve Christey, editor of the CVE program at MITRE Corp., a not-for-profit IT research and development center, said that when it comes to security, the software industry is in a sorry state of affairs.

"After reviewing more than 7,000 vulnerabilities in 2006 alone, one thing becomes crystal clear," said Christey in a written statement. "Most of these vulnerabilities could be found very easily, using techniques that require very little expertise. In my CVE work, I regularly interact with vendors who are surprised to hear of vulnerabilities in their products. They react with the classic stages of shock, denial, anger, bargaining, and finally, acceptance."

He added that most colleges and universities don't teach programmers how to write secure code.

"There needs to be a revolution," he said. "Secure programming examinations will help everyone draw the line in the sand, to say 'No more,' and to set minimum expectations for the everyday developer."

The coalition includes Symantec Corp., Juniper, Siemens, Tata Group, Fortify Software, Tipping Point and Virginia Tech.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 17, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.