Training and certification for web developers

[Steven M Werby/FS/VCU <smwerby () VCU EDU>]

Do your institutions require your web developers to demonstrate their web
applications security knowledge (and skills) in order to develop
applications?  If so, I'm interested in how this was done and what
challenges have been encountered.

I inherited a standard which includes the following:

Web application administrators must be certified using the certification
process described below. Web application administrators are responsible
for the security of the web applications and must ensure that web
application programmers/developers under their supervision maintain a
level of security expertise that includes up-to-date knowledge of web
application security and
techniques for secure web programming.

The now deprecated GIAC GWAS cert is mentioned as an approved option, as
well as the SANS secure coding courses which don't have an associated
certification.  I'm not currently enforcing this component of the
standard.

I haven't ruled anything out so anything from mandatory internal training
including a test to external training with 3rd-party certification is a
possibility.  We're a fairly large decentralized university, with
"developers" range from trained IT professionals to non-IT graduate
students hacking code they found through Google and don't understand.
Suggestions?

--
Steve Werby
Information Security Officer
Virginia Commonwealth University

VCU Information Security - http://infosecurity.vcu.edu/
Information Security News, Tips & More - http://www.twitter.com/vcuinfosec
Information Security Best Practices -
http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf