Security pros offered new 'CSSLP' qualification

Software developers are to be offered a new qualification from next year, the CSSLP, designed to certify their competence in the increasingly troubled world of security design.

The Certified Secure Software Lifecycle Professional certification is the work of UK-based (ISC)2, a not-for-profit industry organization that already manages a range of global security qualifications.

Its creators hope that the CSSLP will benefit both the professionals who take the $599 (£320) examination, and the companies who hire them. Anyone passing the test will have to prove a high degree of competence across any programming language in understanding how to integrate good security practice into the software development lifecycle.

Areas of knowledge will include "the software lifecycle, vulnerabilities, risk, information security fundamentals and compliance." Applicants will need to have at least 4 years of professional experience or three years experience and an IT university degree before being able to sit the CSSLP.

"All too often, security is bolted on at the end of the software lifecycle as a response to a threat or after an exposure," said the recently-hired (ISC)2 board member and Information Security Forum (ISF) president, Howard Schmidt. "The time to act is now, because new applications that lack basic security controls are being developed every day, and thousands of existing vulnerabilities are being ignored."

A number of large software outfits have expressed support for the idea of a specific qualification, not least Microsoft, which recently put its own security SDL methodology into the public domain. Others endorsing it include Symantec, Xerox, and Frost & Sullivan.

The (ISC)2 has certified 62,000 security professionals around the globe in its 19 years of experience. Around 3,000 of these have been in the U.K., and managing director John Colley said he was confident that the new qualification would appeal to at least this number of people over a period of time.

Colley expected registration to be complete by February 2009, with the first exam due at the end of June that year. Brush-up courses cost around $2,500, though these are usually paid for by businesses keen to see their security pros match the industry standard.