New security qualification focuses on lifecycle management

Some of the world’s leading IT suppliers and end users have joined together create a new certification process for application lifecycle security.


Some of the world’s leading IT suppliers and end users have joined together create a new certification process for application lifecycle security.

The (ISC)2 not-for-profit security organisation has won the backing of Micriosoft, Symantec, Cisco, BASDA (Business Application Software Developers’ Association), Sans, UBS Investment Bank and others for the launch of the Certified Secure Software Lifecycle Professional (CSSLP) qualification.

CSSLP certification aims to roll back the proliferation of security vulnerabilities resulting from poor development processes. This requires the establishment of best practices and the validating an individual’s competency in addressing security issues throughout the software lifecycle.

The qualification will be applicable to anyone involved in the software lifecycle, including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers.

“Over 70 percent of security vulnerabilities exist at the application layer*, presenting a significant, immediate threat to users worldwide. All too often, security is bolted on at the end of the software lifecycle as a response to a threat or after an exposure,” said Howard A. Schmidt, CISSP, (ISC)² board member and newly appointed president of the Information Security Forum (ISF).

“The time to act is now, because new applications that lack basic security controls are being developed every day, and thousands of existing vulnerabilities are being ignored.”

Alessandro Morretti, from UBS Investment Bank’s , IT Security Risk Management group said, "UBS adheres to the highest standards of information security. We have implemented strategic application security initiatives encompassing the latest information security techniques for secure application development.

“An effort to develop professional credentials to address this need is a welcome addition to the technical field of information security with promise of long term benefits for professionals and organisations alike."

Subject areas covered by the CSSLP exam will include the software lifecycle, vulnerabilities, risk, information security fundamentals and compliance. Candidates must demonstrate four years of professional experience in the software lifecycle process or three years of experience and a bachelor’s degree (or regional equivalent) in an IT discipline.

The seven domains of the CSSLP CBK®, a compendium of secure software topics, are:

  • Secure Software Concepts
  • Secure Software Requirements
  • Secure Software Design
  • Secure Software Implementation/Coding
  • Secure Software Testing
  • Software Acceptance
  • Software Deployment, Operations, Maintenance and Disposal

The first CSSLP exam is planned for June 2009 and (ISC)2 is seeking qualified professionals who meet experience and other requirements to participate in the assessment.

More information is available here .

Now read

Protecting reputation tops security priorities

Find your next job with computerworld UK jobs

"Recommended For You"

ISC2 issues 10,000th security certification in Europe Digital forensics professionals to get global certification