The time for application security certification is now — part 2

Earlier this week I blogged about application security certification. Here is more on the topic:

It makes no sense to me that students can graduate with a Computer Science and Software Engineering degree and have zero exposure to software security.  Doesn’t our society literally run on software these days?

We have plenty of decent standards and guidelines on which to build a certification program that can plug the application security holes at Universities; in fact, most of the standards and guidelines (from NIST, DHS, MS SDL, OWASP, etc.) could lend themselves to several certifications, based on either role or “project” (to borrow the OWASP lingo.)

We need to accept that (ISC)^2’s attempt at replicating CISSP for software with CSSLP is a failure. The test is a joke and the training/prep content overlaps with CISSP to a frightening level, watering down the value of CSSLP and, frankly, endangering the sanctity of CISSP in the process.

We need an organization to step up and sponsor an AppSec Cert program. Successful certification programs need three critical elements:

1.       A sponsor that has market reach/penetration;

2.       A body of content against which to construct training and exams; and,

3.       The infrastructure from which to deliver and support the program.

OWASP could sponsor this. So could Microsoft or IBM – they own the lion’s share of the software development market (and don’t they each have a bunch of cert programs already?).  An independent org like (ISC)^2 won’t be successful without a sponsor, imo.  Finally, the infrastructure for such a program is key. What the PCI Security Standards Council has done with their QSA and PA-QSA audit certifications is a great model – and now they are moving the programs to eLearning for scale and efficiency. Amazingly, this group has got it right and is a model for us to follow in the AppSec world at large.  After a shaky start on their audit certification programs, PCI has now got things working well from a process, content, and infrastructure perspective – we should learn from it.

Who will be the organization to take a risk (albeit a small one) to sponsor a program that could have global impact on the single biggest problem area facing IT Security – software?

At minimum, let’s get development, audit, and business teams the basic knowledge they need to put up some kind of defense against hackers.  Microsoft provides lots of free guidance on their Security Development Lifecycle (SDL)  https://www.microsoft.com/security/sdl/ as does OWASP https://www.owasp.org/index.php/Category:OWASP_Project .  But content availability is not the problem — individuals and enterprises value certifications, and this industry needs it for AppSec.

It isn’t much of a stretch to envisage  certification programs built around the excellent content referenced here … what are we all waiting for?