SANS to certify programmers for security nous

The SANS Institute has assembled a coalition of security vendors to create a secure coding assessment and certification exam for programmers.

Several specialist computer security courses has been established on either side of the Atlantic but the SANS scheme has a different aim, helping general programmers to avoid common security pitfalls and creating a way for them to test their secure coding skills.

Participants have the option to sit four exams leading to GIAC Secure Software Programmer (GSSP) status. The four examinations cover a specific programming language suite: C/C++, Java/J2EE, Perl/PHP and .NET/ASP.

Students who pass the exams are expected to display expertise in identifying and correcting the common programming errors that lead to security vulnerabilities, such as buffer overflow flaws.

The scheme is supported by several major security firms including Symantec, Juniper, Mitre and TippingPoint as well as Tata, the Indian software development consultancy.

The exams are to be piloted in Washington in August with plans to roll them out worldwide through the remainder of 2007. "This assessment and certification program will help programmers learn what they don’t know, and help organizations identify programmers who have solid security skills," said Alan Paller, director of research at the SANS Institute.

Programmers with secure coding credentials stands a better chance of standing out in a highly competitive marketplace, Paller told El Reg, adding that feedback from programmers during the development of the scheme showed many were prepared to take the time to improve their programming skills. ®