I found a very encouraging announcement today:
SANS has created the new Software Security Institute (SSI) (link) which is a exam program designed to ensure that software programmers demonstrate proper security techniques when writing code.
Here are the project goals:
- Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them.
- Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier.
- Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps.
- Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge.
- Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses.
- Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world.
I have been looking for something like this for quite some time. There have been several options available for certification in network security, but as far as I know, no certifications were available for software security. This is great news!
The first set of tests will be delivered in Washington, DC in August, and then much wider after that through 2007. At the moment, they have tests for the disciplines of C and C++, Java and J2EE, and plan for Perl and PHP, .NET and ASP.NET.
See more information about the program and press releases here.