SANS to test programmers’ security sense

Amid growing Internet crime enabled in part by faulty programming, the SANS Institute will introduce a series of four exams for developers to test how well they can write secure code.

The exams will cover C/C++, Java/J2SE, Perl/PHP and .NET/ASP, said SANS, which runs a computer security training institute. A pilot exam program will start in August in Washington, D.C., and the program will be extended worldwide by the end of 2007.

The exams can be used to identify gaps in a programmer’s training and then eventually enable them to gain GIAC Secure Software Programmer Status (GSSP) through the Global Information Assurance Certification (GIAC) program, part of SANS.

Those within the IT industry have told SANS they don’t know how well their programmers write secure code, said Steven Crofts, director of vendor and media programs at SANS.

“This is the first large-scale attempt to validate if the people inside an organization know what they are doing,” Crofts said.

Johannes Ullrich, chief technical officer of the Internet Storm Center , a part of SANS that monitors security vulnerabilities and the Internet’s health, said thousands of vulnerabilities were found in software programs last year.

Programmers tend to be aware of problems such as buffer overflow vulnerabilities, where extra characters can be injected into a program’s memory and cause unauthorized code to run, Ullrich said.

But Web applications, such as those used for e-commerce, pose other coding challenges, especially since they link back to databases rich with sensitive information, Ullrich said.

And those applications face additional risk since they face the Internet where they are open to attack, he said.

Programmers often “don’t understand the security implications of some programming language features,” Ullrich said. They’re also under high pressure from companies that are trying to quickly roll out new services on the Web.

“As a result, security sometimes takes a back seat over the release date,” he said.