Software developers to get a standardized security test

Software developers, sharpen those No. 2 pencils. A standardized test on your knowledge of secure programming may soon be coming your way.

The Secure Programming Council unveiled Tuesday a proposed standard for companies to test their software developers' knowledge of secure programming. The aim is to create a situation in which companies can ensure that their developers, whether in-house or outsourced, have a base level of knowledge about wrapping security into software applications.

The council is rolling out its "Essential Skills for Secure Programmers Using Java/JavaEE" (PDF), the first of six standards initiatives. It plans to later add skills tests for C and C++, as well as languages .Net, PHP, and PERL.

The council is opening up the Java/JavaEE proposed standard for public comment via e-mail over the next 60 days.

Some of the proposed areas of testing will include data handling, authentication, and session management and access control. For example, under the data handling task, Java programmers must be able to write programs that read input from interfaces, properly validate the data, then disseminate it. The programmers would also need to be familiar with such malicious-attack scenarios as cross-site scripting and SQL injections.

The skill testing is designed to not only ask developers whether they know what encryption is but whether they understand the differences between PKI encryption and other forms of encryption, said Ryan Berg, co-founder of Ounce Labs and a member of the Secure Programming Council's Java and JavaEE steering committee.

More than 40 companies, government agencies, and security firms have participated in helping to establish the standards, largely coming from the financial services, manufacturing, aerospace, military, and outsourcing industries, said Alan Paller, director of research at SANS Institute.

"One large financial institution has told its developers that they had to pass the test by August 1, or they won't touch a line of code," Paller said. "The financial industry is taking the lead because they have the most to lose."

SANS will administer the tests, which are scheduled to begin on December 5 in London and continue for the next eight months in cities through out the United States and Europe.

The tests, which don't actually require a No. 2 pencil, cost between $50 and $450, for participants ranging from students to employees of large corporations.

[samkass]

Start with the easy one...

Since Java is by far the most secure language in common usage, it makes sense to start with that one. I expect the .NET/managed code one to be two or three times this size, and the C/C++ one to be about ten times this size (with an entire sub-test the size of the entire Java test just about input buffer handling).

[kenpm]

Note to author...

.NET is a framework and runtime, not a language. C#, VB.NET, J#, IronPython are all examples of languages that use the .NET framework. Otherwise, these tests are a good idea. Most security concepts are not specific to any language though.

[dondarko]

umm...

right...that will make security better.

[rnieves1977]

would like to take it

would like to take it to see what kinda questions it asks. There are all kinds of creative ways people come up with to compromise an app.

[mmcgov]

why EJB and JSPs?

This is a good idea in principle, but surely the security principles can be separated from the specifics of EJB and JSP. What about mobile java with J2ME or Android dalvik? There is a large enterprise java community that avoids EJB like the plague and there are many of alternatives to ejb. Why would anyone learn these just to pass a security exam?


"familiarity with technologies like JSP Standard Tag Library (JSTL) and Enterprise Java Beans (EJB) output writing is also required." -
from "Essential Skills for Secure Programmers
Using Java/ JavaEE"