The CodeGuard Blog

No, this is not the beginning – or the end.  However, it really is the end of the beginning.

After more than 35 years of industry research and more than two years of development, we are finally beginning to see software security emerge as a distinct profession.  This is very cool.  The newest manifestation of growth in software security is a professional certification called the Certified Secure Software Lifecycle Professional, or CSSLP.  It’s being offered by (ISC)², a name that many people already know.  I’m a member of the (ISC) ² Advisory Board of the Americas and they list me as a primary architect of the cert.

Don’t get me wrong.  We didn’t invent the concept of software security.  The credit for that goes back to the early 1970s (more here).  But now, there is a real, independent organization that will test and certify your skills as a software lifecycle security professional.  If you don’t know what I’m talking about, here’s the 101.

(ISC)² has been certifying the professional qualifications of information security people for almost 20 years.  The Certified Information Systems Security Professional (CISSP) certification is the most common internationally recognized cert for people who specialize in computer security work.  Now they have released the CSSLP for people who specialize in software security.

Big Deal.  Right?  No, really.  This is important.  I know that a lot of people will be skeptical about this whole thing, but it’s time to finally recognize the people who know how to make software more secure.  A lot of people go through life every day doing the job of “security guy” on a software project, but they get no tangible recognition for their specialized skills. If you are one of those people, you might wonder if you really know enough to be considered a “professional.”  Now, you can see what other experts in the field say about software security.  You can test your skills against a common body of knowledge.  If you want, you can get certified.  This also means that your employer will have tangible proof that you measure up with other experts in this field.  In this game, everyone wins.

That’s why I say that this is the end of the beginning.  From now on, if you do security in a software house, you can measure your skills against a standard.  If you talk to people about the development of secure software, you can verify your advice against the standards established for the industry.  If you test the security of applications, you can measure your own development against a professional standard.  Last year anybody could claim to be a software security expert.  Now we have a measuring stick.  It’s not perfect.  Nothing is at this early date in the lifecycle. But it’s a start.

If you work in the field of software development, this is also an opportunity for you to get recognized.  In fact, this is one of the primary reasons behind all of the work.  We (the volunteers behind the CSSLP) want you to be recognized for all the hard work you do. It’s not easy being the security guy.  You have to learn software skills and then learn security on top of all that.  You have to influence people to do extra work to avoid problems that might never occur.  However, you also have to keep the project on schedule and under budget.  All of this takes a special skill and you should be recognized for that skill.

At the same time, software security is a journey, not a destination.  So this blog is intended to help you navigate the professional hurdles you will face in your journey and to get you thinking.

Software security is still new.  The best techniques are still being imagined.  If you do this for a living, you certainly know that there is plenty of room for improvement.  Let’s start figuring it out now and move the industry along with us.  Good luck in your career and write to me if you have ideas about what I should discuss in a future post of the CodeGuard Blog.

Jim Molini, CISSP, CSSLP