• United States



Chief Executive Officer, Security Innovation

CSSLP — it’s about time!

Apr 29, 20092 mins
Business ContinuityCareersData and Information Security

(ISC)2 opened registration for classes and exams for its Certified Secure Software Lifecycle Professional (CSSLP) certification, with the first classes beginning this month.  It’s about time! Many security zealots, like me, have been emphasizing the fact that >90% of vulnerabilities are at the software layer and most exploitations take advantage of known and un-patched security holes.  This is pretty much the result of insecure software production (not just coding, but bad design and testing too) yet many of the investment dollars, standards, certification, etc. continue to be spent at the network layer. 

Since the university system in USA won’t embrace the problem of insecure software and start teaching students how (and the importance of) writing secure code, it is incumbent upon us as an industry to bear the cost of the burden. I’m glad to see (ISC)2 publicly launch the long-awaited CSSLP program — it is a start in the right direction.

We need to fundamentally change the state of software development and this is a step on what will be a long path to making security a part of quality software application construction.  My friend and fellow curmudgeon, Mary Ann Davidson, has long called for universities to “step it up” when it comes to educating our young software engineers and soon-to-be quality professionals. She has also called for us as an industry to resist enshrining anything like a SANS Top 25 list into contractual or regulatory requirements (after all, it is just a general list of vulnerabilities) — rather, she and I share the philosophy of addressing problems at their root cause — and the data breach problem that plagues us worse than swine flu these days will never get solved until it is addressed at the developer desktop (read “developer” = business analyst + architect + developer + tester/QA)

Over and out… your friendly neighborhood Security Curmudgeon

Chief Executive Officer, Security Innovation

Ed Adams is a software executive with successful leadership experience in various-sized organizations that serve the IT security and quality assurance industries. As CEO, Mr. Adams applies his security and business skills, as well as his pervasive industry experience in the software quality space, to direct application security experts to help organizations understand the risks in their software systems and develop programs to mitigate those risks. The company has delivered high-quality risk solutions to the most recognizable companies in the world including Microsoft, IBM, Fedex, ING, Sony, Nationwide and HP.