Home » Security Leadership » Career/Staffing

News

New Certification Aims to Secure Software Throughout Development

New ISC2 certification targets practices and expertise that assess threats at the front end of the application development process, instead of after the damage is done

By Joan Goodchild, Senior Editor

October 07, 2008 — CSO —

ISC2 is launching a new certification that, according to the UK-based firm, will target secure software development practices and expertise that address the increasing number of application vulnerabilities.

The Certified Secure Software Lifecycle Professional (CSSLPcm) is code language neutral and it will be applicable to anyone involved in the software lifecycle chain, including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers, according to a statement from (ISC)2.

"Over 70 percent of security vulnerabilities exist at the application layer, presenting a significant, immediate threat to users worldwide," said Howard A. Schmidt, CISSP, an (ISC)2 board member and newly appointed president of the Information Security Forum, in a statement. "All too often, security is bolted on at the end of the SLC as a response to a threat or after an exposure."

The first CSSLP exam is scheduled for the end of June in 2009. Subject areas covered by the test will include the software lifecycle, vulnerabilities, risk, information security fundamentals and compliance, according to (ISC)2. It will include seven domains, including secure software concepts, requirements, design, implementation/coding, testing, software acceptance, and deployment, operations, maintenance and disposal. In order to sit for the exam, candidates need four years of professional experience in the SLC process or three years of experience and a bachelor's degree in an IT discipline.

While the quality of the certification still has to play out among professionals, Chris Shiflett, a web architect, security analyst and chief technology officer with OmniTI, a New York consultancy, said at first blush the designation does seem to address a need in IT.

"Most of the work emphasis in security certification is focused on discovery of problems that exist," said Shiflett. "On the face of this, it seems more specifically to focus on the cause of those problems. There have been a number of people, myself included, in the security community, that have been pushing for more education, particularly regarding developers and secure programming practices. It doesnâ¬"t seem we've reached tipping point yet. It's hard to say when that's going to be reached, or when it really will. But this seems to be more proactive instead of reactive and that's a good thing for the industry."