Security group launches certification for software development

For years, security experts have repeated the mantra that information system protections should not be tacked on at the end of the development process. Security must be built into the way software codes are written.

But there is often a natural tension between security concerns and the priorities of software developers, who are looking to create applications that accomplish specific tasks and do it on time and on budget, said W. Hord Tipton, executive director of the International Information Systems Security Certification Consortium.

That tension led his organization to develop a new certification designed to validate secure software development practices and expertise, called the Certified Secure Software Lifecycle Professional.

The certification's aim is to establish best practices and validate an individual's competency to address security issues throughout the software development process.

The exam covers subject areas that include the software life cycle, vulnerabilities, risk, information security fundamentals and compliance. Candidates must have four years of professional experience in the software life cycle process or three years of experience and a bachelor's degree (or regional equivalent) in an information technology discipline.

The seven domains of the certification are:

• Secure software concepts.
  
• Secure software requirements.
  
• Secure software design.
  
• Secure software implementation/coding.
  
• Secure software testing.
  
• Software acceptance.
  
• Software deployment, operations, maintenance and disposal.