Announced today at a meeting of federal CIOs and CISOs in Washington, D.C., the initiative will consist of four exams to test four programming language suites: C/C++, Java/JSP, Perl/PHP and .NET/ASP.
"It’s the first time we’ve ever offered a certification where we don’t have a course," said Alan Paller, director of research for the SANS Institute. "There are a million and a half people who need to get up to speed quickly."
Michael Sutton, security evangelist for SPI Dynamics, which has partnered with SANS on the undertaking, said security is an integral part of the entire software-development lifecycle.
But developers have received little security training.
"Historically, we’ve incentivised our developers on features and functionality and to get the application out on time," he said. "As a developer, why would I care about security? You told me my bonus payment relies on these things – and security wasn’t mentioned."
In all other instances, SANS first creates curriculum and classes to instruct professionals, who then take an exam to validate their skill levels and earn the appropriate credential.
In the case of secure software and application development, SANS officials worried there would be too many people to train, Paller said. That is why SANS officials hope the new tests catch on in the enterprise and encourage colleges to include secure coding practices in their curriculum.
"We did this as an incentive to put this in their required courses," he said.
So SANS tapped a number of security experts to collaborate and create the 90-question exams, which organizations can use to hire the most skilled personnel, Paller said.
"Everyone who deploys a web application, they want to make sure the people who wrote it know what they’re doing," he said.
The tests will be released in the fall.
SANS and SPI Dynamics also announced today a 40-city workshop tour – unrelated to the exams – to teach web application developers how to write more secure code.
"I think they’re (developers) anxious to learn," Sutton said.
US introduduces certification for developers
By Dan Kaplan on Mar 27, 2007 12:05AM