I found a very encouraging announcement today:
SANS has created the new Software Security Institute (SSI) (link) which is a exam program designed to ensure that software programmers demonstrate proper security techniques when writing code.
Here are the project goals:
- Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them.
- Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.
- Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.
- Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge.
- Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses.
- Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.
I have been looking for something like this for quite some time. There have been several options available for certification in network security, but as far as I know, no certifications were available for software security. This is great news!
The first set of tests will be delivered in Washington, DC in August, and then much wider after that through 2007. At the moment, they have tests for the disciplines of C and C++, Java and J2EE, and plan for Perl and PHP, .NET and ASP.NET.
See more information about the program and press releases here.
Along with the great agile bloggers at CodeBetter.com, you should take a look at three of the best agile developers/architects I know at ThoughtShapes.com. All three: Rob, Steve, and Rjae, have been presenting an in-depth look at Test Driven Development (TDD) and Domain Driven Design (DDD) at the study group I lead each month: Boston .NET Architecture Study Group. The first two months were on how to get started with TDD and testing the UI. They will be covering how to test the database access calls without a database over the next one or two sessions. The sessions have been inspiring, educational, and incredibly well done.
So, add these guys to your blog roll -- you will be glad you did. Some examples of their latest posts:
I will be speaking this weekend, March 31-April 1, at the New England Code Camp 7: Deer in Headlights located at the Microsoft, Waltham, MA offices. I have two topics this time:
- How to Perform a Secure Code Review
- Protecting Data with SQL Server 2005
There are still some registration space left. Check out the community site
for more information.
I will be speaking tomorrow night on "Threat Modeling for Web Applications" at the Western Mass .NET User Group
meeting in Easthampton, MA. The meeting is March 6 at 6:00 pm. Here
is more information on the abstract and directions to the meeting.