In what may signal a turning point for application security, the SANS institute and SPI Dynamics will be joining
forces in a campaign aimed at educating developers about securing their code. The campaign includes a 40-city application security workshop and a certification exam for application security professionals.
Alan Paller, director of research at the SANS Institute, and Michael Sutton, security evangelist at SPI Dynamics, have been tracking the rising rates of application security vulnerabilities and exploits. As many security professionals are well aware, attacks have skyrocketed over the past 18 months. Great strides in security at the network level have made attackers look toward the application level. And look they have -- approximately 80% of attacks are now aimed at applications.
This puts programmers in a difficult position. They write the code, and thus are the first line of defense in application security. But programmers haven't been trained to handle application security. They are under pressure to meet deadline with a product that functions, not necessarily one that is secure. "Security was always considered an extra feature," noted Paller.
When it comes to security, it's "not that developers can't do it, it's that no one has told them how," Paller continued. "They didn't learn about secure coding in college, they didn't learn about it on their first job."
There is a presumption that developers are unwilling or unable to write truly secure code. However, Sutton and Paller have found just the opposite. "Developers want to embrace security," said Sutton. "I love speaking to developers and seeing the light bulb go on" when they realize how this can be accomplished.
Despite the prevalence of application exploits and vulnerabilities (and the publicity accompanying them,) many companies treat app security as an afterthought. Experts may write stories urging software makers to incorporate security into the SDLC till they're blue in the face, but there hasn't been much evidence that companies are actually listening. This attitude, however, is starting to change. And the initiatives brought forth by SANS and SPI Dynamics may help speed up this process.
"We're slowly starting to hear stories about bonuses being granted based on the percentage of defects [found by programmers]," mentioned Sutton."The key is to have executives say secure coding is a top priority." If programmers learn more about application security and can be certified, it will make it easier on everyone involved to prioritize application security.
"I think the [certification] exam will alter things radically," said Paller, because there will be a trustworthy standard in place. The certification exam would grant Certified Application Security Professional (CASP) status to qualified individuals. This is the first certification program in the industry that deals exclusively with application security.
"Tools are great for testing code, but how do you test the programmers?" asked Paller. The exam would help senior management "hire the right people and gauge the learning of current people. The exam gives them a key metric to gauge progress," added Sutton.
The exam is language-based -- i.e. developers would be tested in Java if Java is the language they use. There are about 100 questions and the test takes approximately three to four hours. In addition to the certification, there will be a score for "bragging rights," as Paller puts it. But it's "not so much the score, but the assessment that really helps a lot," he said. The exam will let test takers know which areas they are strong in and what areas need improvement.
The workshops will consist of a free morning session from SPI Dynamics and a longer, paid session from SANS. Both groups have held these sessions before, but SANS has noted an increase in the percentage of attendees who stay for the paid session. "More than a third stay and that wouldn't have been true two years ago," said Paller.
The increase could be due to the higher value place on application security today, as opposed to two years ago. "Now the programmer doesn't actually pay for the training, their bosses do," Paller said. "And that's one of the most important ways a boss can say that this is worth your time."
In addition to SPI Dynamics, application security vendors Fortify Software, Ounce Labs, Watchfire and Cenzic partnered with SANS to create the certification exam.