LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
ASP.NET MVC 2 Ships
ASP.NET MVC 2 has shipped.
03/12/2010 10:26 AM EST

Microsoft plans 'open' Silverlight analytics framework
Microsoft is going to announce a multipurpose analytics framework for Silverlight at MIX.
03/11/2010 09:51 AM EST

About CSS processing
Two sites that lead to a startling CSS conclusion.
03/10/2010 02:29 AM EST

 

Events calendar tab
SHARE
3/14/2010 to 3/18/2010
Seattle, Wa.
SHARE

Cloud Connect
3/15/2010 to 3/18/2010
Santa Clara, Calif.
TechWeb

Microsoft MIX10
3/15/2010 to 3/17/2010
Las Vegas
Microsoft

SharePointPro Summit & Expo
3/16/2010 to 3/19/2010
Las Vegas
Penton Media

TheServerSide Java Symposium
3/17/2010 to 3/19/2010
Las Vegas
TechTarget


 
print Printable version 
Most Read Latest News Blog Resources
Even with its success, .NET causes some consternation
Despite its popularity, the developer community believes that .NET isn't being fully serve...

Appcelerator dev environment targets Android, iPhone
This unified development environment compiles JavaScript into Objective-C or Java, and wil...

Eclipse creates new sub-projects for Mylyn
The sub-projects are designed to help organizations adopt agile ALM, and they will also br...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Expert backs new security certification for coders


By Jeff Feinman
September 26, 2008 — 
Hord Tipton has always been big on certification.

When he was the CIO of the U.S. Department of the Interior, he made a requirement to have CISSP (certified information systems security professional) certification on critical security jobs, even though it was met with resistance from security experts who thought the examination was difficult. After retiring from his government post two years ago, Tipton has been as adamant about security certification as he ever was in his venture with the (ISC)2.

The International Information Systems Security Certification Consortium, otherwise known as (ISC)2, is a not-for-profit organization focused on certifying information security professionals with vendor-neutral education products, services and credentials.

Tipton, (ISC)2’s director, said the main keys to strong software security are good communication between the business and the coders, and good change control management. The coder should be receiving solid business logic so he or she is able to assess the right security modules and objects to place into the application.

Software can be improperly configured when it is deployed, which will result in flaws. Changes must be made by people trained in security, he said.

“Security must be baked in from the very beginning of the development process,” Tipton said. “I think we’re captured by the notion that security costs more if we build it in. (ISC)2 looks at it from the life-cycle approach that the total cost of the application should count the dollars spent on the beginning and on the end piece of it. Maintenance generally runs about 80% of the cost of any application to begin with, and if you leave a major piece out and don’t have anything to patch it, then serious things happen.”

Tipton pointed out an IBM Systems Sciences Institute study that said fixing defects can cost up to 15 times more during the software testing phase, and 100 times more during the maintenance and operations. If security is not implemented from the beginning of a life cycle, vulnerabilities are more likely to be exploited and costs will rise, he said.

One of the main obstacles to “baking in” security to the software development life cycle is what Tipton called a cultural issue, with rifts existing between programmers and security experts. Programmers may have set ways of creating software, and it may not be in line with what the business is seeking.

“Change is disruption, and programmers are quite comfortable once they have a set routine by which they develop code,” Tipton said. He added that it might take a bit of convincing to change the programmer’s method.

To try and narrow this gap between programmers and the business side, (ISC)2 has created the Certified Secure Software Lifecycle Professional (CSSLP) certification, which will consist of an examination on security around software requirements, design, implementation, testing and other parts of the software life cycle. The purpose of the credential is to “practice what we preach” in building security in on the front end of software development, Tipton said. Although a lot of improvement has been made in the industry with more security training for coders and developers, security around the application life cycle could still use more emphasis. Tipton said developers should be involved in security implementation from the software design and requirements phases to deployment.

“To better protect customers from evolving threats, the software community must come together and incorporate security earlier in the software development life cycle,” said Steven Lipner, Microsoft’s senior director of security engineering strategy. “Microsoft strongly supports industry efforts to train and certify developers in security, especially those in organizations with limited resources. Along with executive commitment, tooling and state-of-the-art processes, certification and training are critical parts of secure development.”

The first CSSLP exam is scheduled for the end of June 2009, and applications to participate in the assessment will be accepted through March 31, 2009.


Related Search Term(s): securitysoftware developmentISC2


Share this link: http://www.sdtimes.com/link/32912
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading