The Secure Programming Skills Assessment SPSA Initiative 6

Example: Programming knowledge, not book learning Consider 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. the following program: #include #include void usage(char *pt. Command) { char usage. Info[1023]; snprintf(usage. Info, 1023, "Usage: %s n", pt. Command); printf(usage. Info); } int main(int argc, char * argv[]) { if (argc < 2) usage(argv[0]); } Q 1. If in the above code argv[0] may be provided by a malicious user, what security problem can the code have? A. Format string vulnerability B. Out-of-bound array write C. String null-termination error D. String truncation The candidate is asked to find the best answer, not the only right answer. 6 th OWASP App. Sec Conference – Milan – May 2007

SPSA Goals - MEASURE and IMPROVE Secure Programming Skills 1. Allow employers to rate their programmers security skills 2. Help buyers to measure secure programming skills of suppliers 3. Allow programmers to identify their gaps 4. Allow employers to evaluate job candidates and consultants 5. Encourage universities to teach secure coding 6. Help individuals and organizations compare their skills to others See: http: //www. sans-ssi. org/#pgoals 6 th OWASP App. Sec Conference – Milan – May 2007 6

How will the test be used? More than 400 organizations polled in October, 2006, said they will use the exams. 83. 7% said To identify our programmers’ secure programming gaps 62. 1% said To ensure consultants and vendors have security-skilled programmers 60. 1% said To evaluate programming candidates 57. 4% said To select people with skills for critical projects 44. 1% said To persuade universities to bake security into core programming courses 38. 9% said To compare our programmers to others in our industry To help give our customers confidence that we are delivering products that include code written by certified secure programmers 6 th OWASP App. Sec Conference – Milan – May 2007

Who is building the tests? Randy Marchany, Ruiliang Chen, and Professor Jung Min Park of Virginia Tech. Professor Matt Bishop of UC Davis, author of “Computer Security: Art and Science” Ed Tracy of Booz Allen Hamilton Steve Christey of MITRE, and editor of the CVE project Ryan Berg and Jack Danahy of Ounce Labs Professor James Walden of Northern Kentucky University Brian Chess and Eric Cabetas of Fortify Software Bryan Sullivan and a large team at SPI Dynamics Danny Allen and Karl Snider of Watchfire Andrew Van der Stock and Jeff Williams of Aspect Security and OWASP Mandeep Khera of Cenzic Johannes Ullrich of SANS Internet Storm Center and SANS Technology Institute Robert Seacord of CERT/CC and author of “Secure Coding in C and C++” Craig Richardson Christopher Telfer of Concurrent David Hoelzer of the SANS Institute Justin Schuh of Neohapsis and co-author of “The Art of Software Security Assessment” Peter Francois of Rockwell Amish Shah of Net-Square Monty Mac. Dougal of Raytheon Dario Forte of DF Labs Marc Schoenfeld from Germany Johan Peeters, Independent, based in Belgium Amit Klein from Israel And forty-two others 6 th OWASP App. Sec Conference – Milan – May 2007

How are they built? Identify the key vulnerabilities and the programming errors that caused them Draft rules that would have avoided them Group the rules into categories/tasks Rank the tasks on criticality, importance, and frequency to determine question counts Draft questions Vet questions Work with MITRE and the CWE program to keep them current 6 th OWASP App. Sec Conference – Milan – May 2007

OWASP Participation in the SPSA

How are the tests delivered? For certification: proctored three times a year, partnering with colleges around the world (pilot in August in Washington) For assessment in large organizations – the enterprise edition – online For assessment for all others – the open edition – online See: http: //www. sans-ssi. org/#deployment How do we avoid disclosure? Thousands of questions, constantly changing 6 th OWASP App. Sec Conference – Milan – May 2007

How to participate?

Enterprise Partners

Where to find details