Darkreading: Secure Coding Certification

[coley at linus.mitre.org (Steven M. Christey)]

On Fri, 11 May 2007, Gary McGraw wrote:

> What do you think?  Can we test someone's software security knowledge
> with a multiple choice test?  Anybody seen the body of knowledge behind
> the test?

I've participated heavily in the development of the test by contributing
questions, giving guidance on subject areas, and identifying some of the
language-independent, general knowledge categories.

While multiple choice isn't perfect, SANS is consulting with a
professional organization that has experience in making multiple choice
certification-related tests for a variety of industries.  They have given
us extensive guidance on how to write solid questions.  There are multiple
checks and balances along the way to improve the quality of the questions.
The "blueprints" as provided on the site give guidance to what kinds of
questions are asked in the first place.

Essay answers or program analysis projects might be able to give a more
well-rounded understanding of what a developer does, but that would be
subject to too much variation by the people evaluating the test results,
not to mention being quite untenable on the scale that this effort is
likely to reach.

People will try to force this initial exam into being something much more
comprehensive and authoeitative than it's intended to be, and there might
be some bumps along the way, but - how can the industry afford NOT to try
to test secure development skills?  This is the first step of many.

- Steve