Security certifications for programmers

This blog entry starts from a very simple question : “What a programmer need to know about the security in order to write more secure code ?” I know that IT security is a very vast topic but in my case I’m interested only in “application security”.  My goal was to find some certifications that will teach me the basics of the “applications security”. You may wonder why I chose to look for the certifications, why not “normal” trainings.  I choose to look for the certifications because I supposed and hoped that will provide me an objective measure of knowledge, skills and abilities.

So here are the security certifications for programmers:

What I like about these certifications is that it gives you all the necessary informations before passing the exams but on the other side I was not convinced about the  previews offered on the site.

What I like about GSSP is that are different exams for different languages since the security risks are not the same for all the programming languages. What I don’t like (beside the price) is the missing of a study guide.

  • Certified Secure Software Lifecycle Professional(CSSLP) The process of certification is quite difficult: must provide proof of four years in the Systems Development Life Cycle (SDLC) process or 3 years plus a bachelors degree or regional equivalent in an IT discipline, submit Experience Assessment essays or pass examination, complete the endorsement process. The certification is focused on security of the following SDLCs: Systems Development Life Cycle, Secure Software Requirements, Secure Software Design, Secure Software Implementation, Secure Software Testing, Software Acceptance, Software Deployment. The price of the exam is $650 USD and the recertification is required every three years under the following conditions : earn 90 Continuing Professional Education (CPE) credits (minimum 15 CPEs earned each year) and pay annual maintenance fees ($100 USD). In case you need a study guide you can take a look at this book The CSSLP Prep Guide: Mastering the Certified Secure Software Lifecycle Professional (not released yet).
  • EC-Council Certified Secure Programmer (ECSP) In order to be an ECSP you must pass an exam ($250). Associated training is available  (online training). On the site EC-Council offer very often free courses consisting in only one day. If you do not take the associated training from the EC-Council, you must complete an eligibility form before you can take the exam and for recertification each member must achieve 120 credits within 3 years and clock in 20 credits per year.
  • EC-Council Certified Secure Application Developer (CSAD) The CSAD is a ECSP + application development certification (for Linux: LCE / LCA / RHCE / LPI certification, for Microsoft: MCAD / MCSD / MCTS / MCPD certification, for Sun:  SCJD / SCEA certification, for Oracle: OCP certification ( DBA), for IBM: Websphere certification)