At the RSA Conference last week, I had the chance to sit down with 4 executive leaders from (ISC)2. During that meeting, I was educated to the fact that, according to (ISC)2 data, the CSSLP (Certified Secure Software Lifecycle Professional) certification is being adopted at an even quicker pace than the wildly successful and pervasive CISSP was at the same point in its lifecycle. The (ISC)2 informed me that CISSP took “more than a decade” to reach the critical mass where it started to be universally recognized and adopted as an industry-wide standard.
CSSLP still suffers from a severe awareness challenge (I mentioned it to one of the most prominent security analysts in the industry and his response was, “What is that? Never heard of it.”); however, its objective, according to its shepherds, is to provide a baseline certification for software security professionals. I think it has a decent chance of succeeding given that objective. I’ve worked in the software industry for nearly 20 years and one thing I learned early on is that not all software professionals are the same – in fact, there are stark differences in skill set, responsibility, and domain knowledge needed between the various roles that contribute to software development and deployment, including but not limited to: Architect, Developer, QA/QE, Business Analyst, etc. A certification program that has contextual significance to each of these roles specifically would be a welcome change.
In similar conversations with the Microsoft SDL team and OWASP Leaders, there seems to be universal agreement that a role-based certification for software security would be a good thing. Sure, there are differences of opinion in terms of explicit endorsement/sponsorship as well as how to measure and set an acceptable quality bar for each certification/qualification. But those are interesting problems to solve and will contribute to furthering the software “development” profession (development here encompasses all of the roles mentioned above.)
Perhaps most promising of all, is that the conversations between myself (and other leaders at Security Innovation), and the executives responsible for (ISC)2, Microsoft SDL, and OWASP have been productive. Further, this is a path forward that didn’t seem to exist a mere 3 months ago. Where the path will take us is to be seen; but watch this space – it will prove to be interesting as 2011 evolves.