New secure coding standard for Java in draft
A new standard for secure programming in Java (PDF) has been submitted for public comment by the Secure Programming Council, a consortium of corporates under the aegis of the SANS Institute. It is designed "to enable organizations to ensure that the developers who write their applications can demonstrate that they have mastered secure programming."
The coverage is broad, including secure architectures, encryption, data handling, authentication, session management and authorisation, plus language-specific techniques. However, the requirements are couched in remarkably loose terms: programmers must "understand", "recognise", "know how to use", "be familiar with", and so on. It is difficult to see how these generalities "measure" essential skills.
So it is obvious, that this comprehensive list needs to be complemented by a set of tests that measure capablities in those skills. The SANS instutute offers this kind of test in its GIAC Secure Software Programmer (GSSP) Certification Exam. Examples that also cover C are presented by the Software Security Institute. Equivalent coverage of C/C++, .Net, Perl and PHP is planned for the near future.
- Essential Skills for Secure Programmers Using Java/ JavaEE (PDF) Draft standard for comment