Last month, I made a pretty audacious suggestion that one way to beat social engineering-based attacks (and here I include phishing and anything that relies on inexperienced or gullible users) is to enforce training and testing of users to ensure that they understand the risks and how best to mitigate them. Fortunately, from the looks of it no one read it. I say fortunately because I was expecting a great deal of email suggesting that I was performing anatomically impossible feats. I'm hoping I'm as fortunate this month; read on to find out why.
When it comes to secure development practices, the industry as a whole continually talks about "developer-focused security training," but people don't seem to enforce it or make it a prerequisite for employment. As a result, it never seems to happen -- nor do general coding practices ever evolve to consistently include secure coding paradigms. I see two issues that continue to prevent the wide-scale adoption of this:
- Companies feel that the cost of continual developer security training outweighs the benefits
- There is no way to measure the success of developers to integrate these techniques
Both of those can be mitigated by supporting either the limited "secure developer" certifications available today or by collectively pushing for new secure developer certifications in general.
Cost is always part of the equation, as I tell many of the security pundits who seem to think that "complete security" is the goal of every organization. They're incorrect in their thoughts, however. What they want is to be as secure as possible in a way that is economically feasible. When the cost of security outweighs the cost of a breach, it doesn't make sense to implement the security. You don't spend $1 million to protect a $1 billion.
Spending money on the training of developers in secure development practices can seem like an awfully big waste of money when you have no way to measure their ability to understand and integrate those practices into their daily work. Additionally, even if you have a high degree of confidence in your developers, how often do you need to reeducate them on the latest and greatest practices to ensure that they are "up-to-date"? Developer certification in "secure programming" can help with this significantly.
First, if employers made this type of certification part of the job requirements and/or paid additional premiums to individuals who have those certifications, most organizations wouldn't have to spend any direct money on training. If individuals saw a personal and financial benefit of being "certified," they would take the initiative to do so on their own, expecting the time and money invested to pay off in the form of a higher salary or increased job mobility.
Second, certification programs usually have some sort of "maintenance" requirement for individuals to continue to hold the certification. This gives individuals incentive to continually develop and hone their skills over the long haul, and it provides them with up-to-date information on an ongoing basis. Granted, additional salary or preference for certified individuals does cost money, but it is money spent on a known and demonstrable skill set, not a "let's train them and hope they get it" basis. I could go on, but I think you see my point.
So, why aren't there more security certifications? Other than content provided in the normal course of developer certification (think MCSD and others), I've found only one organization focused on secure development practices as a core competency -- EC-Council. I don't think I have to argue that what is provided in the "language-type" certifications obviously isn't sufficient; there are plenty of "certified developers" who continue to build code that is seriously flawed from a security standpoint. If there are any other security-focused certifications for developers, I couldn't easily find them -- which could be an indication that they aren't being held in high regard. In truth, the one I do know about is mainly because I have a different certification from the same organization. Of course the reason there aren't more of them (or they aren't more visible) is because there is no incentive for people to get certified.
If enterprise organizations were really serious about protecting their applications, their data and their customers, they would start supporting and adopting attitudes that promote secure development certification. Until they do, these certifications won't thrive and we will continue to have the same problems we have today.
About the author: Ken Salchow Jr. has been employed by F5 Networks Inc. for the past six years where he has served in several capacities. He has a bachelor's degree in information technology from Minnesota School of Business, numerous industry certifications ranging from networking to forensic examination and nearly 20 years of practical enterprise information systems experience. In addition, he is the owner/operator of Binary Forensics LLC, a boutique computer forensics lab serving the legal community in criminal and civil litigation.
Reader Feedback: Share your comments on this article