Ask any security-savvy software developer how best to make code secure, and he or she will quickly tell you something like “To make code secure, you must design it to be secure, then test the heck out of it to make sure the implementation lives up to that design goal.” And in fact, a growing body of knowledge in the software development community focuses on design tools and techniques to help make sure that what gets built is indeed as secure as possible, augmented by a growing number of automated tests designed to check such work from the security perspective.
This is a very good thing. No less a security eminence than Bruce Schneier believes that security testing is not only important, but also something that must be part and parcel of the development process starting from initial design all the way through post-release maintenance and updates —throughout th entire software lifecycle as it were. For some fascinating reading on this and just about any other security topic that might interest you, check out his blog “Schneier on Security” for some eye-opening and thought-provoking material.
The new credential is called the Certified Secure Software Lifecycle Professional (CSSLP) and aims to bring better knowledge and tools to bear on software design, development, and maintenance. The primary subject areas figure into the CSSLP:
- Secure Software Concepts: security implications that touch on software development
- Secure Software Requirements: representing security needs and concerns during the requirements gathering phase of development
- Secure Software Design: translating security requirements into application design elements and specifications
- Secure Software Implementation/Coding: unit testing for security functionality and resistance to attack, developing secure code, including incident-handling and mitigation techniques
- Secure Software Testing: QA testing that integrates tests for security functionality and resistance to attack
- Software Acceptance: Security analysis and investigation during software acceptance
- Software Deployment, Operations, Maintenance, and Disposal: ensuring security during steady state operations and when managing software
Anybody who’s familiar with the software lifecycle model for development will recognize that this new cert simply integrates security throughout its current phases and activities. This is a great way to make common sense and a growing body of thought and expertise more explicit and better recognized. If you’re a developer with a security bent, this could be just as potent a credential for coders as the CISSP is for system and network administrators and “security policy wonks.” Check it out on the CSSLP Home page.