Earlier this week I blogged about application security certification. Here is more on the topic:It makes no sense to me that students can graduate with a Computer Science and Software Engineering degree and have zero exposure to software security.\u00a0\u00a0Doesn\u2019t our society literally run on software these days?We have plenty of decent\u00a0standards and guidelines\u00a0on which to build a certification program that can plug the application security holes at Universities; in fact, most of the standards and guidelines\u00a0(from NIST, DHS, MS SDL, OWASP, etc.) could lend themselves to several certifications, based on either role or \u201cproject\u201d (to borrow the OWASP lingo.) We need to accept that (ISC)^2\u2019s attempt at replicating CISSP for software with CSSLP is a failure. The test is a joke and the training\/prep content overlaps with CISSP to a frightening level, watering down the value of CSSLP and, frankly, endangering the sanctity of CISSP in the process. We need an organization to step up and sponsor an AppSec Cert program. Successful certification programs need three critical elements: 1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A sponsor that has market reach\/penetration; 2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 A body of content against which to construct training and exams; and,3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The infrastructure from which to deliver and support the program. OWASP could sponsor this. So could Microsoft or IBM \u2013 they own the lion\u2019s share of the software development market (and don\u2019t they each have a bunch of cert programs already?). \u00a0An independent org like (ISC)^2 won\u2019t be successful without a sponsor, imo.\u00a0 Finally, the infrastructure for such a program is key. What the PCI Security Standards Council has done with their QSA and PA-QSA audit certifications is a great model \u2013 and now they are moving the programs to eLearning for scale and efficiency. Amazingly, this group has got it right and is a model for us to follow in the AppSec world at large. \u00a0After a shaky start on their audit certification programs, PCI has now got things working well from a process, content, and infrastructure perspective \u2013 we should learn from it.Who will be the organization to take a risk (albeit a small one) to sponsor a program that could have global impact on the single biggest problem area facing IT Security \u2013 software? At minimum, let\u2019s get development, audit, and business teams the basic knowledge they need to put up some kind of defense against hackers. \u00a0Microsoft provides lots of free guidance on their Security Development Lifecycle (SDL) \u00a0https:\/\/www.microsoft.com\/security\/sdl\/ as does OWASP https:\/\/www.owasp.org\/index.php\/Category:OWASP_Project .\u00a0\u00a0But content availability is not the problem -- individuals and enterprises value certifications, and this industry needs it for AppSec.It isn\u2019t much of a stretch to envisage \u00a0certification programs built around the excellent content referenced here ...\u00a0what are we all waiting for?