Adventures in the programming jungle

This blog entry starts from a very simple question : “What a programmer need to know about the security in order to write more secure code ?” I know that IT security is a very vast topic but in my case I’m interested only in “application security”.  My goal was to find some certifications that will teach me the basics of the “applications security”. You may wonder why I chose to look for the certifications, why not “normal” trainings.  I choose to look for the certifications because I supposed and hoped that will provide me an objective measure of knowledge, skills and abilities.

So here are the security certifications for programmers:

• Software Security Foundations Certificate from Standford University It consist in one course that can be taken online and it takes 6 hours. The price is $495 USD. The participants must complete a final exam at the end of the course consisting a multiple-choice examination. In order to receive credit for the on-line course, you must pass the course exam with a 90% score or higher. I think that this book: Foundations of Security: What Every Programmer Needs to Know will give you a good overview of the course topics since it is written by one of the instructors.

• Advanced Computer Security Certificate from Standford University It consist in 6 courses, 3 required (Using Cryptography Correctly, Writing Secure Code, Security Protocols) and 3 elective (Computer Security Management – Recent Threats, Trends & the Law, Emerging Threats and Defenses, Securing Web Applications, Web Security 2.0: AJAX, Mashups, and Social Networking). Beside this, the conditions are the same as in the case of Software Security Foundations Certificate.

What I like about these certifications is that it gives you all the necessary informations before passing the exams but on the other side I was not convinced about the  previews offered on the site.

• GIAC Secure Software Programmer The GSSP certification exists in three flavors: GSSP-Java, GSSP-.NET and GSSP-C. The exam consists of 100 multiple-choice questions, is open book and has a 4 hour time limit and the price is $899 USD. For the GSSP-Java the exam fee can be reduces to $499 USD if you register for the Secure Coding in Java/JEE: Developing Defensible Applications: Security 541 training. The certification must be renewed every 4 years.

What I like about GSSP is that are different exams for different languages since the security risks are not the same for all the programming languages. What I don’t like (beside the price) is the missing of a study guide.

• Certified Secure Software Lifecycle Professional(CSSLP) The process of certification is quite difficult: must provide proof of four years in the Systems Development Life Cycle (SDLC) process or 3 years plus a bachelors degree or regional equivalent in an IT discipline, submit Experience Assessment essays or pass examination, complete the endorsement process. The certification is focused on security of the following SDLCs: Systems Development Life Cycle, Secure Software Requirements, Secure Software Design, Secure Software Implementation, Secure Software Testing, Software Acceptance, Software Deployment. The price of the exam is $650 USD and the recertification is required every three years under the following conditions : earn 90 Continuing Professional Education (CPE) credits (minimum 15 CPEs earned each year) and pay annual maintenance fees ($100 USD). In case you need a study guide you can take a look at this book The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional (not released yet).

• EC-Council Certified Secure Programmer (ECSP) In order to be an ECSP you must pass an exam ($250). Associated training is available  (online training). On the site EC-Council offer very often free courses consisting in only one day. If you do not take the associated training from the EC-Council, you must complete an eligibility form before you can take the exam and for recertification each member must achieve 120 credits within 3 years and clock in 20 credits per year.

• EC-Council Certified Secure Application Developer (CSAD) The CSAD is a ECSP + application development certification (for Linux: LCE / LCA / RHCE / LPI certification, for Microsoft: MCAD / MCSD / MCTS / MCPD certification, for Sun:  SCJD / SCEA certification, for Oracle: OCP certification ( DBA), for IBM: Websphere certification)