New software certification to stem vulnerabilities

Non-profit information security group ISC2 has announced a new certification programme validating secure software development to prevent security vulnerabilities, supported by vendors such as Microsoft, Symantec and Cisco.

ISC2 hoping the Certified Secure Software Lifecycle Professional (CSSLP) will cut the number of security vulnerabilities springing up due to software not being developed properly.

To do this, the certification aims to ensure best practices and also make sure that the individuals working on the software are capable of addressing any security issues that they encounter.

The group said that this will apply to anybody involved in working through the software lifecycle. This would include developers, software engineers, project managers, testers and programmers.

ISC2 quoted Gartner research which said 70 per cent of security vulnerabilities occurred at the application layer, claiming that it was a significant and immediate threat.

It was claimed that new applications lacking basic security controls were developed every day, with thousands of vulnerabilities ignored because developers did not have to deal with them.

"Unsecured software is not only a danger to the enterprise, it can cause higher production costs and delays for the software developer, and require additional staff for the end-user as well," said John Colley, ISC2 managing director for EMEA.

He claimed that the new certification would be key in offering better critical infrastructure protection, the reduced risk of software malpractice suits and the stricter following of industry and government regulations.

Companies such as Cisco, Microsoft, SANS, Symantec and Xerox expressed their support for the scheme.

"Microsoft strongly supports industry efforts industry efforts to train and certify developers in security, especially those in organisations with limited resources," said Steven B. Lipner, senior director of security engineering strategy at Microsoft.

"Along with executive commitment, tooling and state-of-the-art processes, certification and training are critical parts of secure development."