Darkreading: Secure Coding Certification

[gem at cigital.com (Gary McGraw)]

Hi Yo (and everyone else),

I'm afraid that the current test focuses all of its attention on BUGS (in C/C++ and Java).  While we certainly need to 
erradicate simple security bugs, there is much more to software security than the bug parade.  Plus when you look into 
the material, the multiple choice format makes determining the correct answer impossible at times.

I would rather move away from learning about bugs to learning about defensive programming to avoid bugs in the first 
place.  The SANS material focuses entirely on the negative as far as I can tell.  Here's a bug, there's a bug, 
everywhere a bug bug.  Better than nothing?  Maybe.

SANS is very good an soliciting everyone's opinion, piling it all up in a nice package, and then charging users for the 
result.  SANS is a for profit entity, not a university or a non-profit.  Please don't forget that.

As much as I would love to see a way to determine whether a random coder has security clue, I'm afraid all we will get 
out of this effort is perhaps a bit more awareness.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


-----Original Message-----
From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Johan Peeters
Sent: Saturday, May 12, 2007 6:11 AM
To: SC-L at securecoding.org
Subject: Re: [SC-L] Darkreading: Secure Coding Certification

I agree that multiple choice alone is inadequate to test the true
breadth and depth of someone's security knowledge. Having contributed
a few questions to the SANS pool, I take issue with Gary's article
when it implies that you can pass the GSSP test while clueless.

There is indeed a body of knowledge that is being tested. SANS has
been soliciting comments on the document.

kr,

Yo

On 5/11/07, Gary McGraw <gem at cigital.com> wrote:
> Hi all,
>
> As readers of the list know, SANS recently announced a certification scheme for secure programming.  Many vendors and 
> consultants jumped on the bandwagon.  I'm not so sure the bandwagon is going anywhere.  I explain why in my latest 
> darkreading column:
>
> http://www.darkreading.com/document.asp?doc_id=123606
>
> What do you think?  Can we test someone's software security knowledge with a multiple choice test?  Anybody seen the 
> body of knowledge behind the test?
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________


--
Johan Peeters
http://johanpeeters.com
_______________________________________________
Secure Coding mailing list (SC-L) SC-L at securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________