Amid growing Internet crime enabled in part by faulty programming, the SANS Institute will introduce a series of four exams for developers to test how well they can write secure code.

The exams will cover C/C++, Java/J2SE, Perl/PHP and .NET/ASP, said SANS, which runs a computer security training institute. A pilot exam program will start in August in Washington, D.C., and the program will be extended worldwide by the end of 2007.

The exams can be used to identify gaps in a programmer's training and then eventually enable them to gain GIAC Secure Software Programmer Status through the Global Information Assurance Certification program, part of SANS.

Those within the IT industry have told SANS they don't know how well their programmers write secure code, said Steven Crofts, director of vendor and media programs at SANS.

"This is the first large-scale attempt to validate if the people inside an organization know what they are doing," Crofts said.

Johannes Ullrich, chief technical officer of the Internet Storm Center, a part of SANS that monitors security vulnerabilities and the Internet's health, said thousands of vulnerabilities were found in software programs last year.

Programmers tend to be aware of problems such as buffer overflow vulnerabilities, where extra characters can be injected into a program's memory and cause unauthorized code to run, Ullrich said.

But Web applications, such as those used for e-commerce, pose other coding challenges, especially since they link back to databases rich with sensitive information, Ullrich said.

And those applications face additional risk since they face the Internet where they are open to attack, he said.

Programmers often "don't understand the security implications of some programming language features," Ullrich said. They're also under high pressure from companies that are trying to quickly roll out new services on the Web.

"As a result, security sometimes takes a back seat over the release date," he said.

The IDG News Service is a Network World affiliate.

Whitepapers

• Gene Kim's Practical Steps to Mitigate Virtualization Security Risks
• Selecting Effective Virtual Directories
• A Modern Approach to On-Demand Email and Data Security
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users

View more SECURITY whitepapers

Webcasts

• Key Considerations for a Successful 802.11n Deployment
• Solutions to the Toughest IT Challenges in Remote Offices
• Lowering the Cost of Email Archives
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SECURITY webcasts

Special Reports

• The Evolution of Network Security
• Taking Virtualization Up a Notch
• Learn how to Keep your Mobile Workforce Connected
• The self-managed network

View more SECURITY special reports