Yesterday, Security Innovation and the University of Central Florida launched a seriously groundbreaking certification program through UCF’s division of Continuing Education: the Secure Software Development Certificate Program. (SSD) Why is this so cool?
Well, for one, UCF (which happens to be the second-largest university in the US) selected our TeamProfessor computer-based training courses as the content provider for their new program. More than that, this is the first of its kind program that will certify professionals and students as having competency in secure software development – from a highly accredited university.
As a discipline with in the larger IT Security industry, application security hasn’t been at the forefront of attention from the security community. Organizations often opt to look toward endpoints and network components as a basis for their security model, if they have one.
But in a recent study we commissioned with the Ponemon Institute that compared results between security professionals and developers side by side,, we found that over half (51%) of developers and over half (51%) of security personnel in enterprise organizations have no training in application security. This means there is a lack of communication between dev and security teams, but more to the point, it means organizations aren’t placing an emphasis on building security into their software apps and that there’s a lack of knowledge in HOW to do it.
At RSA a few weeks back, I attended a panel hosted by Forrester’s Chenxi Wang, who recounted a survey Forrester executed that went like this: For every dollar organizations are spending on application security, they are spending $10 spent on network security. (See my last post) The point isn’t to debate appsec vs. network sec. What is exciting about UCF’s recognition of the market is that it is starting to turn toward application security, and they understand that developers need to learn how to create secure code.
UCF is targeting professionals and students looking to improve their application security skills with 15 TeamProfessor courses featuring three levels of certification: Foundation, Advanced and Expert. So depending on how advanced a professional is in their development or security knowledge, they have options to go deep, or to stay at the fundamentals level.
Overall, this is a major milestone for the UCF, for Security Innovation and for the industry as a whole. A year from now, I see the folks at UCF as being hailed by the industry for kick-starting this effort at the university level, and equipping folks with a targeted secure software development skills certification.