Codificação segura

Groups team to test secure-coding skill
Robert Lemos, SecurityFocus 2007-03-28

A coalition of security companies and organizations announced a plan this week to create assessment tests that would certify programmers' knowledge of secure-coding practices.

Steve Christey, editor of the Common Vulnerability and Exposures (CVE) Project, MITRE “Most educational institutions have failed to teach the most fundamental skills in making secure products.There needs to be a revolution. ”

The groups, led by the SANS Institute, aim to create a set of four tests covering major programming languages that could give companies a tool to measure software developers' ability to create secure code. The tests would also act as a guide to software buyers of the ability of the developers who created the programs, as well as give coders a way to identify gaps in their knowledge of secure programming techniques, said Alan Paller, director of research for the SANS Institute.

"If we are ever going to get ahead of the security problem, we are going to have to take care of the bugs at the development level," Paller said during a conference call with reporters. "There are at least a million and a half people writing programs, and they all need to know this stuff."

Dubbed the Secure Programming Skills Assessment (SPSA), the initiative boasts the support of 362 companies, government agencies and universities, according to the SANS Institute. Among the participants are government contractor MITRE, University of California at Davis, Web security firm SPI Dynamics, code auditing firm Fortify Software, the Open Web Application Security Project (OWASP), and consulting firm Booz Allen & Hamilton. Symantec, the owner of SecurityFocus, has also voiced support for the assessment tests.

The initiative comes as software companies are increasingly being taken to task for the flaws in their programs. Researchers have used month-long release of daily bugs to highlight the security issues in particular classes of software, specific areas of the operating system and specific languages.

Different programming languages hold different pitfalls for programmers. Web applications written in the PHP programming language, for example, likely account for about 43 percent of the more than 8,000 vulnerabilities recorded in 2006. While developers using languages such as Java tend to create more secure code, a recent study found that sample programs provided with large Java-based projects still contain a significant number of bugs.

According to the SANS Institute , nearly 85 percent of all vulnerabilities are due to three common developer errors: input validation, buffer overflows and integer overflows.

Artigo completo em: Groups team to test secure-coding skill (SecurityFocus)