Scoopasia | Press Releases

Press Releases

(ISC)2(R) Launches Security Certification to Reduce Application Vulnerabilities

Certified Secure Software Lifecycle Professional (CSSLP) Validates Security Knowledge; Supporting Global Organizations Include Microsoft, Symantec and Cisco

HONG KONG, 30 September 2008 -- Sept. 26 /Xinhua-PRNewswire/ -- (ISC)2(R) ("ISC-squared"), the not-for-profit global leader in educating and certifying information security professionals throughout their careers, today announced preparations for a new certification designed to validate secure software development practices and expertise to address the increasing number of application vulnerabilities.

The Certified Secure Software Lifecycle Professional (CSSLP) aims to stem the proliferation of security vulnerabilities resulting from insufficient development processes by establishing best practices and validating an individual's competency in addressing security issues throughout the software lifecycle (SLC). It takes a holistic approach to software security. Code-language neutral, it will be applicable to anyone involved in the SLC, including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers.

"Over 70 percent of security vulnerabilities exist at the application layer*, presenting a significant, immediate threat to users worldwide," said Howard A. Schmidt, CISSP, (ISC)2 board member and newly appointed president of the Information Security Forum (ISF). "All too often, security is bolted on at the end of the SLC as a response to a threat or after an exposure."

"The time to act is now, because new applications that lack basic security controls are being developed every day, and thousands of existing vulnerabilities are being ignored," Schmidt said.

"Unsecured software is not only a danger to the enterprise, it can cause higher production costs and delays for the software developer, and require additional staff for the end-user as well," said W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, executive director for (ISC)2. "The CSSLP will be a key component in better critical infrastructure protection, reducing the risk of software malpractice suits, and enabling stricter adherence to industry and government regulations."

A wide range of respected organizations have expressed their support for the CSSLP, including: Microsoft, Symantec, BASDA, DSCI (NASSCOM),SANS, SRA International, Software Assurance Forum for Excellence in Code (SAFECode), Cisco, Xerox, ISSA, and Frost & Sullivan. Several of these organizations are sending their qualified software staff through the education and examination process. Statements from supporting organizations include:

"To better protect customers from evolving threats, the software community must come together and incorporate security earlier in the software development lifecycle. Microsoft strongly supports industry efforts to train and certify developers in security, especially those in organizations with limited resources. Along with executive commitment, tooling, and state-of-the-art processes, certification and training are critical parts of secure development."
-- Steven B. Lipner, senior director of security engineering strategy at Microsoft

"In the wake of unforeseen challenges of data security and privacy, Data Security Council of India welcomes (ISC)2 initiative in addressing security issues throughout SLC. We recognize (ISC)2 CSSLP as a proactive way in realizing the need for a process oriented and vendor neutral international professional security certification targeted at key influencers in the SLC process. It is also the right solution for software vendors looking to provide superior quality deliverables to their clients by following international and stringent internal security compliance policies."
-- Dr. Kamlesh Bajaj, CEO of Data Security Council of India (DSCI), an initiative set up by NASSCOM

"As the global dependence on information and communications technology has grown, users have become increasingly concerned over the security of software, especially those in the government, critical infrastructure and enterprise sectors. By offering software professionals a means to increase and validate their knowledge of best practices in securing applications throughout the development lifecycle, (ISC)2's CSSLP is helping the industry take an important step forward in addressing the 'people' part of the solution."
-- Paul Kurtz, executive director, SAFECode

"Organized crime groups have sharpened the focus and increased the frequency of their attacks against applications, making application software security a top priority for protecting sensitive information. We commend (ISC)2 for shining a bright light on this critical problem through their new CSSLP certification. CSSLP complements the SANS Institute's GIAC Secure Software Programmer (GSSP) certification that tests developers' secure coding skills."
-- Alan Paller, director of research for SANS

Subject areas covered by the CSSLP exam will include the software lifecycle, vulnerabilities, risk, information security fundamentals and compliance. Candidates must demonstrate four years of professional experience in the SLC process or three years of experience and a bachelor's degree (or regional equivalent) in an IT discipline.

The seven domains of the CSSLP CBK(R), a compendium of secure software topics, are:

-- Secure Software Concepts
-- Secure Software Requirements
-- Secure Software Design
-- Secure Software Implementation/Coding
-- Secure Software Testing
-- Software Acceptance
-- Software Deployment, Operations, Maintenance and Disposal

Tipton added, "The CSSLP ensures that our first line of defense in this war -- people -- have the tools and knowledge to implement and enforce security throughout the software lifecycle."

The first CSSLP exam is scheduled for the end of June in 2009. Currently, (ISC)2 is seeking qualified professionals who meet experience and other requirements to participate in the assessment. They will become the first CSSLP holders and be asked to contribute to the exam development process and assist in other program development tasks. Applications for the CSSLP experience assessment will be accepted from Sept. 25, 2008 (US Time) through March 31, 2009, with the first education seminars slated for Q1 2009. For more information and to register for the experience assessment, visit: http://www.isc2.org/CSSLP .

(C) 2008, (ISC)2 Inc. (ISC)2, CISSP, ISSAP, ISSMP, ISSEP, and CAP, SSCP and CBK are registered marks of (ISC)2, Inc.

* Source: Gartner Group, 2005

SOURCE (ISC)2 Asia-Pacific

# # #

About (ISC)2 Asia-Pacific:
About (ISC)2

The International Information Systems Security Certification Consortium, Inc. [(ISC)2(R)] is the globally recognized Gold Standard for certifying information security professionals. Founded in 1989, (ISC)2 has certified over 60,000 information security professionals in more than 130 countries. Based in Palm Harbor, Florida, USA, with offices in Washington, D.C., London, Hong Kong and Tokyo, (ISC)2 issues the Certified Information Systems Security Professional (CISSP(R)) and related concentrations, Certification and Accreditation Professional (CAP(R)), and Systems Security Certified Practitioner (SSCP(R)) credentials to those meeting necessary competency requirements. (ISC)2 certifications are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)2 also offers a continuing professional education program, a portfolio of education products and services based upon (ISC)2's CBK(R), a compendium of information security topics, and is responsible for the (ISC)2 Global Information Security Workforce Study. More information is available at http://www.isc2.org .

Media Contacts:
Kitty Chung
(ISC)2 Asia-Pacific
Tel: +852-3520-4001
Email:

Submitted by Xinhua PR Newswire, Xinhua PR Newswire on Tuesday, 30 September 2008 at 4:35 PM
Category: Consumer Technology