Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Education Programming Security IT

Secure Programming Exams Launched 85

An anonymous reader writes "The SANS Software Security Institute, in conjunction with organizations such as Siemens, Symantec, Juniper, OWASP, and Virginia Tech, has announced a program for testing whether programmers know how to write secure code. The Secure Programming Skills Assessment is split into separate language families (C/C++, Java/J2EE, Perl/PHP, and ASP/.NET). Director of research Alan Paller says 'This assessment and certification program will help programmers learn what they don't know, and help organizations identify programmers who have solid security skills.' The pilot exam will be held in Washington DC in August, followed by a global rollout."
This discussion has been archived. No new comments can be posted.

Secure Programming Exams Launched

Comments Filter:
  • If only (Score:4, Insightful)

    by vivaoporto ( 1064484 ) on Thursday March 29, 2007 @10:52AM (#18529243)
    If only programmers had time enough to evaluate the code they written, and every now and then to refactor some parts. Every coder with a tight schedule will write anything that gets the manager ready-to-production-rubber-stamp and, if it turns out that it has a vulnerability, by the time it gets discovered either it is up to the maintenance team to fix or a new version of the software will already be out, so no fix will be necessary.

    Big. On schedule. Bugless. Pick 2.
    • by syphax ( 189065 )

      I choose On schedule and Bugless.
    • I'd say it's more like Works. On Schedule. Bugless. Pick 2. :)

    • Re: (Score:2, Informative)

      by jd3nn1s ( 613014 )
      I think this misses the point. Common vulnerability types could be avoided with a little education on how they actually work. By understanding how vulnerabilities come about would allow programmers to avoid creating instances of them in the first place.

      If you monitor the bugtraq list you can see that the vast majority of reported vulnerabilities are XSS and SQL injections in web apps. Most of these can be easily avoided if you know how they occur.

      This would mean less time needed for reviews as the code woul
      • But the solution recommended for the bugs is not always the best solution. You see people recommending using mysql_real_escape (or whatever it's called), to protect against SQL injection when what they really should be doing is only using prepared queries. Using things like mysql_real_escape are easy to forget at certain places in the code, and hard to check all the code to see if you forgot them later, even when you really try to remember. But it's pretty hard to "forget" to use a prepared query when th
        • by jd3nn1s ( 613014 )
          Agreed, prepared statements are definitely the best protection against SQL injections. I don't see why this point starts with a "but" though. If that is what is "recommended" then those doing the recommending need more education.

          Some blame lies with the way certain web-app languages have been put together; e.g. default output to the browser not being escaped. Further abstraction by newer languages, or in-house built layers can solve these problems though, if the programming team understands the risks.
        • I don't understand. Why is it any easier to remember method A than method B, if one is not used to either? Not that your larger point (use prepared queries vs. escaping strings) is under dispute, but if a developer is more used to using the latter, how would he be more likely to remember to use the former?

          • by tpv ( 155309 )
            It's not simply a matter of "A" or "B".
            1. It's either:
            2. do insecure thing "X", but always make sure you do "A" at the same time in order to undo the damage of doing X
            3. do secure thing "B" all the time
            If you forget to do "B", you app simply doesn't work. If you forget to do "A" (but still do "X") then your app works, but in insecure.

            It's much safer to use safe practices all the time than to apply "fixes" on top of unsafe practices.

    • Re:If only (Score:4, Informative)

      by ciaohound ( 118419 ) on Thursday March 29, 2007 @11:22AM (#18529677)
      It is a management problem, absolutely. But it is also a matter of having seasoned lead developers. A project or program manager per se may not have the technical background to make sure the schedule includes security testing, but his lead developer can explain why it needs to be there.
      • It isn't a management problem. It is a client problem. Engineering a system with security requirements will always cost more than engineering a system without security requirements.

        If several groups are bidding on a project, and security is not explicitly and verifiably included in the RFQ, any group that ignores security will be able to undercut groups which take security seriously.

  • no VB =(
  • can we expect to see the answer keys posted to about 100 .ru sites in a week?
  • by chrism238 ( 657741 ) on Thursday March 29, 2007 @11:11AM (#18529505)
    How long will it take employers, head-hunters, and even some technical people, to realise this?
    • by colesw ( 951825 )
      That would be why it says different families. Unless you happen to believe that Perl/PHP is a language?
    • by EvanED ( 569694 )
      That depends. How long will it take forum posters to realize that "/" is often used as abbreviation for "and" and "or"?
      • Re: (Score:3, Funny)

        That depends. How long will it take forum posters to realize that "/" is often used as abbreviation for "and" and "or"?

        I've been wondering the same thing here on AndDot for some time now. Or is that OrDot?

        • The same identifier can have multiple meanings. Hooray for overloading! Is that covered in the test?

          Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo.
    • Re: (Score:3, Informative)

      It is ironic that the parent post is modded off-topic. If you read the C and C++ newsgroups, you will soon discover that many regulars dislike the term "C/C++". It is ambiguous, and often used (deliberately or inadvertently) by those who don't understand the differences between the languages to hide their lack of knowledge.

      The SANS sample test here is guilty of exactly that crime, demonstrating a fundamental lack of understanding of the differences between how you program in C and how you do it in C++ if

      • Thanks for your comment; it summaries well what I meant from my parent post. The security challenges posed by C are not necessarily the same as those posed by C++, or vice-versa. Similarly, an ignorance of the similarities and differences of the two languages may lead to even great security vulnerabiltiies. [Sorry, however, if my "score" of Off-Topic now affects your article.]
  • the answers for these exams will be on testking and other cheat sites. which will be great as it will then enable thousands of coders to be certified to write secure code, and we'll never have insecure code again. Soon the SAN SW Security Institute can make exams for bug-free code and perfect IT architecture. I'll get all those certs so everything I do will be perfect.
  • by Coryoth ( 254751 ) on Thursday March 29, 2007 @11:30AM (#18529769) Homepage Journal
    Slowly, but surely, security of software is becoming more if an issue. That doesn't mean writing perfectly secure software -- but it does mean closing up some of the glaring holes. As this article points out, a ridiculously large amount of security flaws in web applications come down to failing to do very basic things like failing to do adequate input validation/filtering, which leaves you open to SQL injection, XSS attacks and all manner of other nastiness. Expecting perfect code for simple things like web apps is unreasonable. On the other hand, if we can educate more programmers on basic techniques for handling these very common sorts of errors then things will undoubtedly improve significantly on the security front. Ultimately we are moving toward software assurance, where developers provide certain assurances about their software to let clients know what they can expect. It's not a matter of assuring perfection, it's being able to state clearly what aspects you can be confident of. Being able to say that all user input gets filtered through specific validation and filtering function, for instance, is an example of assurance. That doesn't mean the filtering function is perfect, but guaranteeing that all input goes through it is a start - if you want to provide assurance of stronger security then you might provide assurances as to what types of attacks the filtering function will prevent, and so on. As security becomes more important, providing such assurance offers in contracts will be increasiongly valuable.
    • ". . . a ridiculously large amount of security flaws in web applications come down to failing to do very basic things . . . [I]f we can educate more programmers on basic techniques for handling these very common sorts of errors then things will undoubtedly improve significantly on the security front."

      The problem I see with these types of certification is that, much like other certifications, they don't really teach you the underlying purposes of a lot of things. I mean, how different is securing a system bu
  • Security is a very fast paced field with new exploits coming out all the time. Are we going to require a refresher class every couple months to keep this cert?

    I really think that things like this, although well intentioned and not a bad idea, will lull corps into a false sense of security (no pun intended ;)) making it counter productive in the long run. People are lazy after all and I know for a fact that only a handful of people I graduated with are keeping there knowledge up to date.

    So, I predict in th
  • Not impressed (Score:5, Interesting)

    by Anonymous Coward on Thursday March 29, 2007 @11:49AM (#18530047)
    I took the sample "C/C++" exam, making a point to respond quickly and not to consult any references (something I'd never do when actually programming) and I have to say I was singularly unimpressed. The emphasis wasn't on trying to teach good programming practices but rather on trying to fool the person taking the exam with tricky questions that have little if any relevance in actual programming.

    For example, one question was basically making the point that sizeof is a compile time thing that cannot be used to, say, determine the size of a string buffer passed through a char * parameter. But rather than present the question in a straightforward fashion, they has this business of dividing one sizeof value by another - completely unnecessary and confusing. I got the question right but I could just as easily missed it because of the unnecessary complexity and still understood the underlying concept.

    One I did miss (I got 8 out of 10 right, I think) was one about how to declare a pointer to a array of constant strings. The question was phrased so awkwardly that I got confused as to what theyactually wanted and gave the wrong answer even though I know how to get the effect they want.

    I was also unimpressed that there was no feedback given as to why a given answer was correct or incorrect. No feedback is arguably fine if the intent is purely to assess skill levels, but the stated intent is that this "will help programmers learn what they don't know". You can't do that unless you also explain why a given answer is wrong. Perhaps this is merely an artifact of the sample exams, but if so the samples aren't very interesting.

    If this sample exam is in any way representative I think there's a lot more work to be done before this will actually be useful.

    • I agree. They have BrainBench syndrome: they take it upon themselves to judge others, yet clearly don't understand much of the subject themselves. You can tell this from the way the "C/C++" exam (as if security concerns are even close to the same in those two languages) focusses pretty much entirely on C library functions that most security-conscious programmers would avoid entirely, with a random concurrency question at the end. Strangely, it doesn't even reference ideas like using containers rather than r

    • by curunir ( 98273 ) *
      The Java test is also similarly flawed. I got all but one of the questions right, but for most of the ones that asked the right way, the real answer should have been "none of the above". For instance, they asked one question about preventing a user from embedding their session id in a link sent via email that is then sent to the victim who clicks on it and then logs in, thereby giving access to the client that initialized the session. Their best answer (and the one they considered correct) was to establish
      • by tpv ( 155309 )
        I agree.

        I got 8/10 on the java test, because I refused to say "always do input validation on the middle tier". Blanket rules like that are
        (a) wrong
        (b) dangerous
        (c) short-sighted
        (d) all of the above
        Even the ones I got right, in very few cases did I think the question was sensible or well considered.
        The question about errors vs exceptions is just plain wrong, and their filters questions is arguably wrong also.

        I'd give them about a 3/10.

    • Not that I disagree in general, but that sizeof idiom is one I use all the time to compute the number of elements in an array. The point of the question is that this doesn't work for arrays passed as arguments to a function.
      • You said it. I'm surprised by how many C/C++ programmers don't know that is the correct way to keep track of the size of an array. I frequently use the following in programs I write: #define NUM_ELEMENTS(x) (sizeof(x)/sizeof(x[0])) Although, how many programmers know this trick, but mistakenly try it when x is a pointer instead of an array?
    • The emphasis wasn't on trying to teach good programming practices but rather on trying to fool the person taking the exam with tricky questions that have little if any relevance in actual programming.
      And this would make it different from any other certification test in what way?
    • by Atario ( 673917 )
      You've just described the problem with every assessment test out there, given by certification places or job interviewers or recruiters or anyone else. It's all to determine how well you handle trick questions and how much of a given reference work you've memorized. Not one bit about how well you can program or administer or whatever.
    • Oh, I hate those kind of things. With Java Blackbelt for example they ask if something compiles. You get 3 classes or something and they then ask what goes wrong. Then I have to see the strange compiler error within that somehow. Well, bugger that, my Eclipse environment will alert me on any compiler error long before I do any testing. What's the freakin' use? I'm too old to have to worry about trick questions, so I'll leave these particular tests where they are as well.
  • by HomelessInLaJolla ( 1026842 ) <sab93badger@yahoo.com> on Thursday March 29, 2007 @11:59AM (#18530169) Homepage Journal
    We may start to see where zero day exploits really originate (implication: within the mother company). We may begin to see how much personal information is truly being gathered (implication: as much as possible). We may realize how long illegal domestic wiretaps have really been going on (implication: at least as long as the technology has been available).

    In all actuality I see a certification like this to be good at heart to begin with but, give another five years, and it will become a method to ensure that programmers only make mistakes in predictable ways--and then everything will proceed as it currently is.
  • ... there is a buffer overflow vulnerability on question #9.

    -m
  • Vallllllllllldiiiiiiiisssssss!!!! The only person to post to more lists in one day than Gadi Evron!
  • From the title I thought they were talking about preventing cheating on online exams... Unfortunately, since they're not, I doubt we'll be able to take the secure programming exam online securely any time soon.
  • for secure programming. But that not unusual. In fact that seems to be the Zeitgeist.

    Everybody speaks of secure programming but allays in combinations with unsuitable tools and programming languages.

    Reminds me a bit about the Addams Family. Remember the part where Gomez tries to make huge loss of money. In the end he start a venture in Chocolate-Diet - something he things will never work as chocolate is completely unsuitable for diet purpose and his hope is that people won't fall for such a stupid idea - he

Whoever dies with the most toys wins.

Working...