For years everyone from Mary Ann Davidson (CSO or Oracle) to OWASP to DHS (in their “Build Security In” initiative with SEI) have been bemoaning the fact that our universities do not adequately train software engineering and computer science students on secure coding practices (and in most cases not at all.) Even I have written and presented on the topic, calling for better training and awareness and complaining that industry shouldn’t have to bear the burden of educating software engineers on security. Well, I was wrong.
There are a few universities who are now starting to include security courses in their degree or certificate programs; however, that will take a very long time to propagate throughout industry and the penetration of such courses is still very small. Mary Ann Davidson even offered to give preferential hiring treatment at Oracle to schools who demonstrated security training as part of their Computer Science and Software Engineer programs -- and got a pathetically weak response. Go figure.
I have never been a big fan of personal certifications; however, it is a model that works. Individuals like to own them, and companies like to hire employees who possess them. Cisco’s certifications for networking professionals and the now seemingly omnipresent CISSP ensures at least a minimum level of expertise in security disciplines. However, we still lack a practical and meaningful certification for anything related to application security.
Let me chew on this on a bit and get back to you when I have more concrete thoughts on remediation.