A group of secure-programming experts plans a series of documents that outline the skills coders need to write Web applications that are better able to withstand attacks.

The first of these is being made public Tuesday and sets down what the Secure Programming Council believes are essential capabilities these programmers must have to write Java and JavaEE code that is free of flaws that hackers might exploit.

While schools and other groups offer courses that teach secure coding, the curriculums are designed in isolation based on instructors’ best efforts, says Alan Paller, director of research for the SANS Institute, the information security training and research organization. They don’t adhere to industry standards for what they ought to include, he says.

The series of documents from Secure Programming Council hopes to address this shortcoming by drawing on existing texts and input from secure-coding trainers as well as businesses that are making similar efforts for their in-house programmers, Paller says. “It’s a common body of what people need to know, benchmarks for employers and teachers,” he says.

The group hopes that teachers will adjust their syllabuses to incorporate the recommendations, he says.

The council is issuing Essential Skills for Secure Programmers Using Java/ JavaEE now, and plans follow-ups for other languages including C, C++, and .Net languages as well as Perl and PHP. The Java paper is open for public comment until Dec. 1 at spa@sans.org.

While secure-programming can help, it’s not enough, Paller notes. In addition to training, programmers need tools that assist in writing safe code and automatically test the code for vulnerabilities once it is written.

Ryan Berg, a member of the Secure Programming Council steering committee on Java and JavaEE and chief scientist at Ounce Labs, says guidelines are sorely needed. “Programmers don’t have a place to go to find out, ‘What do I need to know in order to write secure code,?’” Berg says. Ounce Labs makes software that reads other software to look for weaknesses.

He says that each programming language has its own characteristics and weaknesses that developers using it need to know if they want to keep it safe from attacks. “Programmers need to understand the languages and the facilities provided by the languages to promote sound software design,” Berg says.

Whitepapers

• Selecting Effective Virtual Directories
• Best Practices for HP Servers and HP Enterprise Virtual Array in a Microsoft Exchange
• Compliance, Protection, Recovery: A Layered Approach to Laptop Security
• Endpoint Security: Data Protection for IT, Freedom for Laptop Users
• IT Departments on Data Security: A Research Concepts Survey
• Laptop Security Tool Helps Allina Hospitals Track 97% of IT Assets

View more SOFTWARE whitepapers

Webcasts

• Managing the End User Experience-A Real World Example of Success
• Lowering the Cost of Email Archives
• Google Webcast: Why archive email? Top challenges and best practices
• High Availability for SQL Server 2005 Using Array-Based Replication and Host-Based Mirroring Technologies
• Technical Overview of Exchange Server 2007 with HP Servers and Storage
• Bringing Order and Security to your Mobile Workforce: Corporate Mobility Policy and Device Management On-Demand

View more SOFTWARE webcasts

Special Reports

• Application Performance Management Executive Guide
• Executive Guide: Building a Service Oriented Architecture
• IT Buyers Guide To: Collaboration

View more SOFTWARE special reports