Standard Security Test For Developers

Posted November 22, 2007 in Programming, Security

Quoting from the SANS web site:

The GIAC Secure Software Programmer (GSSP) Certification Exam was developed in a joint effort involving the SANS Institute, CERT/CC, several US government agencies, and leading companies in the US, Japan, India, and Germany. These exams are an essential response to the rapidly increasing number of targeted attacks that are focusing on application vulnerabilities.

So far, I can see a C exam (pdf) and a Java exam (pdf). There’s another version of the Java exam that also includes some additional background.

One slight surprise is that the Java version is only three pages, while the C version is ten pages. Part of it might be explained away by claiming that Java makes secure coding easier, hence less things to discuss. But I’m not sure that’s the whole story. Some sections of the C Exam are just more comprehensive, mentioning things like TOCTOU, replay and spoofing attacks, and hashing, that the Java exam doesn’t mention at all.

Anyway, I think it’s a very worthwhile effort and is bound to help improve security skills in programmers.

Most of the improvement though, should still come from better languages and better libraries. It’s just not feasible to raise the security skills of the majority of developers to the required level. Most of them struggle with the basics of the language, let alone learning security protocols.

[Via CodeProject Insider – Daily Developer News and]