Wouldn’t it be nice if we could measure the application security skills of our developers?

• Wouldn’t it be nice if we could measure the application security skills of our developers?

• Well … Yes

• SANS and many other organizations have recognized a need for this

• SANS with the help of many others, including OWASP is trying to enable us to be able to do so

• See the press release: http://www.sans-ssi.org/ssi_press.pdf

The SANS (SysAdmin, Audit, Network, Security) Institute is a U.S. based company that

• The SANS (SysAdmin, Audit, Network, Security) Institute is a U.S. based company that

• Provides Information Security Training
• IT Security Certifications (GIAC)
• IT Security Research, Policy, Community
• Publishes the SANS Top 20
• Which is what the OWASP Top 10 is modeled after
• And now the SANS Software Security Institute (www.sans-ssi.org)

• Check out www.sans.org for more details

A battery of language specific secure coding exams for programmers

• A battery of language specific secure coding exams for programmers

• C and Java/J2EE – 1st target languages
• Free practice tests available
• C++, .NET, PHP, PERL soon thereafter

• Each test will include

• General application security questions
• Language specific secure coding questions
• Tests will be generated from a large bank of questions per language

Consider the following program:

• Consider the following program:

• 1. #include 2. #include 3. void usage(char *ptCommand) { 4. char usageInfo[1023]; 5. snprintf(usageInfo, 1023, "Usage: %s \n", ptCommand); 6. printf(usageInfo); 7. } 8. int main(int argc, char * argv[]) { 9. if (argc < 2) 10. usage(argv[0]); 11. }

• Q1. If in the above code argv[0] may be provided by a malicious user, what security problem can the code have? A. Format string vulnerability B. Out-of-bound array write C. String null-termination error D. String truncation

• The candidate is asked to find the best answer, not the only right answer.

Allow employers to rate their programmers security skills

• Allow employers to rate their programmers security skills
• Help buyers to measure secure programming skills of suppliers
• Allow programmers to identify their gaps
• Allow employers to evaluate job candidates and consultants
• Encourage universities to teach secure coding
• Help individuals and organizations compare their skills to others
• See: http://www.sans-ssi.org/#pgoals

More than 400 organizations polled in October, 2006, said they will use the exams.

• More than 400 organizations polled in October, 2006, said they will use the exams.

• 83.7% said To identify our programmers’ secure programming gaps

• 62.1% said To ensure consultants and vendors have security-skilled programmers

• 60.1% said To evaluate programming candidates

• 57.4% said To select people with skills for critical projects

• 44.1% said To persuade universities to bake security into core programming courses

• 38.9% said To compare our programmers to others in our industry

• To help give our customers confidence that we are delivering products that include code written by certified secure programmers

Randy Marchany, Ruiliang Chen, and Professor Jung Min Park of Virginia Tech.

• Randy Marchany, Ruiliang Chen, and Professor Jung Min Park of Virginia Tech.

• Professor Matt Bishop of UC Davis, author of “Computer Security: Art and Science”

• Ed Tracy of Booz Allen Hamilton

• Steve Christey of MITRE, and editor of the CVE project

• Ryan Berg and Jack Danahy of Ounce Labs

• Professor James Walden of Northern Kentucky University

• Brian Chess and Eric Cabetas of Fortify Software

• Bryan Sullivan and a large team at SPI Dynamics

• Danny Allen and Karl Snider of Watchfire

• Andrew Van der Stock and Jeff Williams of Aspect Security and OWASP 

• Mandeep Khera of Cenzic

Identify the key vulnerabilities and the programming errors that caused them

• Identify the key vulnerabilities and the programming errors that caused them

• Draft rules that would have avoided them

• Group the rules into categories/tasks

• Rank the tasks on criticality, importance, and frequency to determine question counts

• Draft questions

• Vet questions

• Work with MITRE and the CWE program to keep them current

SANS plans to sponsor a new $5K OWASP Spring of Code project to develop questions

• SANS plans to sponsor a new $5K OWASP Spring of Code project to develop questions

• This is being slipped in, in addition to all the other projects already announced

• Dinis Cruz is soliciting proposals for this now

• Please consider a submission!!

For certification: proctored three times a year, partnering with colleges around the world (pilot in August in Washington)

• For certification: proctored three times a year, partnering with colleges around the world (pilot in August in Washington)

• For assessment in large organizations – the enterprise edition – online

• For assessment for all others – the open edition – online

• See: http://www.sans-ssi.org/#deployment

• How do we avoid disclosure?

• Thousands of questions, constantly changing

Help make the tests better

• Help make the tests better

• Blueprints
• Questions

• University partners

• Test administration site
• Teaching courses for students and local industry

• Enterprise partners

Required

• Required

• Help make the test better
• Participate in the pilot administration
• Acknowledge support for the initiative

• Optional

• Work with universities to encourage them to include secure coding (initiative launched)
• Use the exam for assessments
• Get people certified
• A few of the partners: Siemens, Tata (60,000 programmers), Juniper, Symantec, ABN AMRO, Intel

Test Blueprints and Practice Tests, Top Three Errors, Press coverage, Critics’ Page, more

• Test Blueprints and Practice Tests, Top Three Errors, Press coverage, Critics’ Page, more

• www.sans-ssi.org

• Email for participation

• spa@sans.org

• OWASP Spring of Code Submission for SPSA Question Generation Project

• www.owasp.org/index.php/OWASP_Spring_Of_Code_2007_Applications