Certifying Software Security Professionals: The CSSLP
Humans have been developing computer software for about 65 years now. We’ve come a very long way during that time, and many futurists expect we will see just as much technological advancement in the next 65 years. This amount of change will challenge even the best minds in computer science to keep up.
It can be hard to appreciate just how sophisticated computers have become. But consider this: In 1981, the most sophisticated spacecraft in the world was the U.S. Space Shuttle. The Space Shuttle could launch, orbit the Earth and land without human intervention. The first shuttles were able to accomplish this feat with 104Kb of RAM. Today, you’d be hard-pressed to find anything larger than a wristwatch with only 104Kb of RAM. An average cell phone has more than 2.5 billion bytes of RAM and processes data faster than many of the mainframes used in Mission Control in 1981. It won’t work in the harsh environment of space, but it will do just fine down here on Earth.
However, like the Space Shuttle, a cell phone would be an expensive brick without software. For that reason, reliable and secure software is an essential investment.
Why Software Security?
Until 1975, most programs were written, run and used in the same building. The idea of a computer virus was still science fiction in 1981 when IBM delivered the first PC. Security meant gates and guards, not firewalls and Web filters. During the past 30 years, the explosion in computing required that we change many of our approaches to computer security.
Early efforts at computer security were focused on providing a secure location for the computer. Then the tech community set about building tools that would enhance the security of a particular machine, such as a Web server or an accounting PC. Today, as software becomes more complex, the need for secure software is increasingly critical to software development organizations. That is why (ISC)2 — a certification body that specializes in information security — developed a new certification for software developers, called the Certified Secure Software Lifecycle Professional (CSSLP).
The CSSLP is one way to define a new standard for software development security. (ISC)2 felt the security of software was an important area to investigate. In the course of its research, (ISC)2 found a critical need for specialists in both security and software development and determined that creating a certification program would be the best way to enable widespread adoption of better development security standards.
What the Certification Addresses
When building secure software, it is necessary to address security throughout the life cycle, from concept through maintenance. Although many people might think a security bug is just another kind of coding bug, simply avoiding coding bugs won’t result in secure software. Every year, security flaws arise from incorrect security requirements or design. With more than 14 million software developers worldwide, modern software development organizations must be ready to implement an entire security development life cycle. They also must hire professionals who understand both the principles and practice of secure software development.
Studies sponsored by (ISC)2 have found that professionals who work every day in the field of software development often walk a fine line between profit and process. They must balance the mandate for high productivity with their professional commitment to producing high-quality systems. Those responsible for security must promote security best practices in organizations that often are driven by conflicting priorities. Upon examination, (ISC)2 concluded that these professionals would benefit professionally and financially from clear standards for secure software development and an industry standard recognition of their skills.
The CSSLP is intended for software life cycle professionals who are responsible for improving the security of software and those responsible for developing secure systems or application software. In providing certification opportunities to developers, (ISC)2 aims to establish a base level of professional skill for individuals who wish to pursue this area as a career path.
In a nutshell, the CSSLP is designed to:
- Establish minimum professional standards for a global audience of software developers.
- Provide a portable method for conveying and verifying professional qualifications.
- Encourage opportunities for all organizations to develop software development security capabilities by not tying certification to an enterprise or infrastructure.
- Support specialized areas of information security with critical needs.
Why Certify Individuals?
In the past, other organizations have attempted to certify development organizations or to provide third-party testing for systems. However, organizational certifications tended to localize the expertise to specific geographic or service communities. Moreover, those certifications actually slowed the spread of expertise, since an individual with certified skills might lose that certification by changing jobs.
With the advent of ubiquitous computing, it was necessary to address the need for a global community of professionals who could build skills and drive best practices within every enterprise. Moreover, experts thought a certification program might pave the way for wider acceptance of software certification. By providing an opportunity for professionals to become certified on independent criteria, (ISC)2 is hoping to raise the level of software security throughout the global IT community.
Additionally, rather than certifying only developers of security software (i.e., those who build firewalls and anti-malware programs), the CSSLP is targeted at people who improve the security of all software, including those who improve the security of general-purpose software and those who develop security tools. Subsequently, (ISC)2 believes this certification offers benefits to the software community at-large.
Certification Body of Knowledge
The field of software security is not easy to master, even on a good day. Just as a pathologist first must learn to become a doctor, a CSSLP-certified professional must learn how to develop software before understanding how it breaks and how to prevent those failures. They must then learn how other people will attack the software and how to prevent those attacks.
These multiple layers of expertise challenge even the best professionals, and as a result, deep dedication to the field is not uncommon. For this reason, the CSSLP CBK, a compendium of secure software development topics, might seem intimidating at first glance.
The CSSLP CBK covers all the stages of normal software development. Candidates must understand requirements, design, coding, testing, deployment, patching, maintenance and disposal. Further, they must learn the security functions associated with each of these stages in the software development life cycle (SDLC).
Additionally, candidates must know how to apply core information security concepts such as risk management, vulnerability assessment, auditing and legal issues. Finally, candidates will be required to show that they understand the mathematical models that represent the engineering foundation for secure software development. (ISC)2 expects that universities will begin to offer graduate degrees in software security as a way to prepare candidates for specialization in this field.
Common Standards of Certification
The CSSLP was designed from the ground up with American National Standards Institute (ANSI) standards in mind. Activities such as job-task analysis and exam-item writing were strictly supervised by (ISC)2 staff to meet ANSI standards. At the same time, the development process was run with an eye toward full globalization of the certification itself.
Today, (ISC)2 supports more than 60,000 certified information professionals in more than 130 countries. Many affiliates of (ISC)2 have operations across several continents. For these reasons, the certification process needed to be universal so certified professionals could move around the world and still know their expertise would be applicable to the local environment.
Software security is a critical element of computing today. Although the CSSLP is new, the pedigree of the organization has been upheld for more than 20 years, and the people behind this creation are confident it will play a positive role in computing for the next 65 years.
James E. Molini, CISSP, CSSLP, is a senior program manager at Microsoft, working in the Identity and Security Division. He has more than 22 years experience in the field of information security, including extensive experience in system and software security, intrusion detection and risk management. He can be reached at editor (at) certmag (dot) com.