Darkreading: Secure Coding Certification

[Greg.Beeley at LightSys.org (Greg Beeley)]

> 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT
> professionals such as those who work in large enterprises have no
> motivation to pursue.
>
> 2. The target price for the exams will be an impediment as many folks who
> can't get reimbursed for taking them will not bother.

Agreed.  There might be some value to a software development outsourcing
company, but that will limit coverage.  I definitely know that the pricing
issue would prevent me from taking the exam, but I'm in nonprofit/charity
work; I am not representative of most of the industry....

> 3. It needs to be more language agnostic. Folks who code in Smalltalk,
> Ruby or scripting languages should not be treated as second class citizens

Agreed in concept to the "no second-class citizens" idea.  But I think
the test needs to have a language-specific element to it.  Every language
and environment has unique pitfalls and security considerations.  A
developer who knows to avoid memory management, buffer, and integer issues
in C may have no clue about nul-poisoning in a web scripting language's
counted (as opposed to zero-terminated) strings.

> 4. I would not measure "experience" but desire to pursue knowledge.
> Experience over time can get static. How many of us know a COBOL
> programmer who has had one years of experience twenty times.

To me, the "experience" qualification isn't so much "how many years of
coding", but how much has the person actually practiced "secure coding"?
An experienced secure coder is much more able to recognize, at a glance,
issues in the code and in the design, as compared to someone who has been
recently trained at a secure coding "boot camp".  But I do agree with you
that experience in terms of time is a somewhat rough metric.

Greg.