CSSLP — it’s about time!

(ISC)2 opened registration for classes and exams for its Certified Secure Software Lifecycle Professional (CSSLP) certification, with the first classes beginning this month.  It’s about time! Many security zealots, like me, have been emphasizing the fact that >90% of vulnerabilities are at the software layer and most exploitations take advantage of known and un-patched security holes.  This is pretty much the result of insecure software production (not just coding, but bad design and testing too) yet many of the investment dollars, standards, certification, etc. continue to be spent at the network layer. 

Since the university system in USA won’t embrace the problem of insecure software and start teaching students how (and the importance of) writing secure code, it is incumbent upon us as an industry to bear the cost of the burden. I’m glad to see (ISC)2 publicly launch the long-awaited CSSLP program — it is a start in the right direction.

We need to fundamentally change the state of software development and this is a step on what will be a long path to making security a part of quality software application construction.  My friend and fellow curmudgeon, Mary Ann Davidson, has long called for universities to “step it up” when it comes to educating our young software engineers and soon-to-be quality professionals. She has also called for us as an industry to resist enshrining anything like a SANS Top 25 list into contractual or regulatory requirements (after all, it is just a general list of vulnerabilities) — rather, she and I share the philosophy of addressing problems at their root cause — and the data breach problem that plagues us worse than swine flu these days will never get solved until it is addressed at the developer desktop (read “developer” = business analyst + architect + developer + tester/QA)

Over and out… your friendly neighborhood Security Curmudgeon