Last week, I grumbled over the fact that a student can graduate with a Computer Science and Software Engineering degree and had zero exposure to software security . Huh? Doesn’t our society and business literally run on software?
We have plenty of decent (not fantastic, but decent) standards and guidelines on which to build a certification program that can plug the application security hole at Universities; in fact, most of the standards (from NIST, DHS, MS SDL, OWASP, etc.) could lend themselves to several, based on either role or “project” (to borrow the OWASP lingo.)
We need to accept that (ISC)^2’s attempt at replicating CISSP for software with CSSLP is a failure. The test is a joke and the training/prep content overlaps with CISSP to a frightening level, watering down the value of CSSLP and, frankly, endangering the sanctity of CISSP in the process.
We need an organization to step up and sponsor an AppSec Cert program. Successful certification programs need three critical elements:
- A sponsor that has market reach/penetration;
- A body of content against which to construct training and exams; and,
- The infrastructure from which to deliver and support the program.
OWASP could sponsor this. So could Microsoft or IBM – they own the lion’s share of the software development market (and don’t they each have a bunch of cert programs already?). An independent org like (ISC)^2 won’t be successful without a sponsor, imo. Finally, the infrastructure for such a program is key. What the PCI Security Standards Council has done with their QSA and PA-QSA audit certifications is a great model – and now they are moving the programs to eLearning for scale and efficiency. Amazingly, this group has got it right and is a model for us to follow in the AppSec world at large.
Who will be the organization to take a risk (albeit small) to sponsor a program that could have global impact on the single biggest problem area facing IT Security – the software level?
At minimum, let’s get development teams the basic knowledge they need to put up some kind of defense against hackers. Microsoft provides a ton of free guidance on their Security Development Lifecycle (SDL). Also, you can check out some of our free eLearning modules at http://elearning.securityinnovation.com.