|Ever Increasing Need For Secure Programming|
|Written by Edward Jones|
|Monday, 05 October 2015|
As the scale and extent of cyber crime grows so does the need for developers who are trained and accredited in secure programming. We look at some of the options for gaining certification.
The Internet continues to offer cyber criminals new avenues of attack, free from physical and virtual borders. These attacks pose a continued and significant threat, not only to individual businesses and consumers, but to the economy as a whole. The predicted cost of cyber crime to the UK Government is now an estimated £27 billion in 2015. But this problem is global and no country is immune.
As cyber criminals continue to attack both Government and business systems alike, the need for secure programming has never been more important.
How secure programming prevents cyber crime
The Heartbleed bug provides perhaps the most serious and well-known example of why secure programming is such an essential technique in the modern day. Submitted in December 2011, but not discovered until April 2014, the bug left over half a million of the Internet’s secure web servers in the popular OpenSSL/TSL cryptographic software library exposed to attack for over two years, making the Heartbleed one of the worst internet flaws ever uncovered.
This simple programming error not only allowed anyone on the internet to access and read up to 64 kilobytes of server memory, but also the ability to perform the attack over and over again to keep accessing information while leaving no trace of any abnormal happenings. Attackers were able to eavesdrop on communications and steal data directly from millions of website. This included some of the world’s most popular sites including Google, YouTube, Yahoo!, Pinterest, Instagram, Wikipedia and the US Postal Service. Major gaming platforms were also affected, causing serious implications for users’ sensitive private data, including usernames, passwords and credit card information. The total estimated cost of the Heartbleed bug is US$500 million as a starting point, although evaluating the actual cost is difficult.
Secure programming is becoming an increasingly popular and fundamentally crucial practice in the modern day. There are a number of organisations offering accredited certifications whereby individuals are tested on their ability to develop defensible, high-quality code to prevent web application attacks and common programming errors by utilising their existing advanced secure programming skills.
Secure programming training and certification
The SANS Institute is one of the world’s most trusted providers and largest source for information security training and security certification. Amongst its vast portfolio of courses, is one which focuses specifically on Secure coding.
The SANS OnDemand Course DEV544: Secure Coding: Developing Defensible Applications course offers participants insight into the types of flaws that secure coding protects against, how the flaw might be exploited and then focus on how to correct that code. Intended for ASP.NET developers who want to build more secure web applications, NET framework developers, the course costs $4,150, which gives you 4 months access to online materials including
EC-Council, a global group of companies that specialize in information security training, education, certification, events and services, offers a range of advanced all-inclusive training programs such as the world-famous Certified Ethical Hacker (CEH), Computer Hacking Forensics (CHFI) and EC-Council Certified Security Analyst (ECSA).
It also awards EC-Council Certified Secure Programmer (ECSP) certification. There are two tracks focusing on the largest software frameworks, the ECSP JAVA and the ECSP .NET. Throughout the 3-day preparation course you’ll learn to code and develop highly secure software and web applications. You’ll learn to implement secure coding practices throughout the software life cycle when designing, implementing, and deploying of applications. In the 2-hour exam at the end of the course you’ll prove your ability to identify security flaws and implement security countermeasures to vastly improve the overall quality of applications.
Last but not least are the GSSP certifications from Global Information Assurance Certifications (GIAC). Two GIAC Secure Software Programmer exams, GSSP-.NET and GSSP-JAVA, test the skills and abilities to write secure code and recognize security shortcomings in existing code in .NET and Java respectively.
In addition there is GIAC Certified Web Application Defender,GWEB, allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common web application errors that lead to most security problems.
Unlike the EC-Council exams, no specific training is required for any GIAC certification. Practical experience is an option although there are also books and training courses to help candidates prepare. In order to gain accreditation, candidates must master a range of security knowledge and skills required to eradicate common programming errors which lead to most security problems. Passing the exam proves you have the knowledge, skills, and abilities to write secure code and recognise security shortcomings in existing code. GIAC holders are highly sought after by government, military and other top organisations.
Achieving just one of these certifications will help your organisation and applications become more secure. But there is still more that needs to be done. Even the most basic programming errors can have devastating impacts on programme systems, as we’ve seen with the Heartbleed bug and more recently with the Android vulnerability, StageFright. Both of these digital imperfections lay unnoticed for some time leading to a suggestion that future research could focus on developing systems that are able to identify these fatal flaws more quickly than has been done in the past, as well as continuing to develop and improve secure programming techniques.
As Cyber Crime grows in complexity and precedence, it is vital that the systems that stand to protect against it also become more complex and forthcoming.
To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on, Twitter, Facebook, Google+ or Linkedin, or sign up for our weekly newsletter.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Monday, 05 October 2015 )|