The challenge of software vulnerabilities has been discussed by many in the information security industry for several years now. Not only have there been several major breaches due to unsecured software, the costs continue to rise for those of us who have to maintain systems and constantly patch the vulnerabilities that are found.







As we know, the problem is not isolated to any particular piece of software – it’s across the board, whether it’s operating systems, word processing, new media or any other application that can make enterprises open to attack.






After hearing from our members and those who write and develop software about this problem, (ISC)² formed several expert working groups to discuss possible solutions. The consensus was that while the software industry has made some progress in improving the secure coding and development of software, it hasn’t moved quickly enough.






These experts agreed that there are security issues found at all different steps in the software lifecycle and that we need to look at software security holistically, from the very beginning of design, to implementation, maintenance and disposal.






The end result of these conclusions is the Certified Secure Software Lifecycle Professional (CSSLPcm), a new certification announced this past month by (ISC)² to validate an individual’s understanding of security best practices throughout the software lifecycle.






Code-language neutral, the CSSLP is applicable to anyone involved in the software development lifecycle, from analysts, developers, software engineers and software architects to project managers, software quality assurance testers and programmers. It is complementary to the CISSP but there is no other certification required to obtain it.






CSSLP candidates must demonstrate four years of professional experience in the software development lifecycle process or three years experience and a bachelor’s degree (or regional equivalent) in an IT discipline.






The seven domains of the CSSLP CBK are:

• Secure Software Concepts
  
• Secure Software Requirements
  
• Secure Software Design
  
• Secure Software Implementation/Coding
  
• Secure Software Testing
  
• Software Acceptance
  
• Software Deployment, Operations, Maintenance and Disposal

We are very proud to note that a wide range of respected organizations have expressed their support for the CSSLP, including Microsoft, Symantec, DSCI (NASSCOM), SANS, SRS International, Software Assurance Forum for Excellence in Code (SAFECode), Cisco, Xerox, SAIC, ISSA, and Frost & Sullivan.






The first CSSLP exam is scheduled for the end of June in 2009. Currently, (ISC)² is seeking qualified professionals who meet experience and other requirements to participate in the exam assessment. They will become the first CSSLP holders and be asked to contribute to the exam development process and assist in other program development tasks. Applications for the CSSLP experience assessment will be accepted from Sept. 25, 2008 through March 31, 2009, with the first education seminars slated for Q1 2009. For more information and to register for the experience assessment, please visit www.isc2.org/CSSLP.






I hope you will support this endeavor to make our software and our enterprises more secure in the years to come. I welcome your suggestions and comments on this exciting new initiative from (ISC)².




More...