The report – the 2011 '(ISC)² Global Information Workforce Study', which was based on 10,000 responses – found that, with attackers focusing their efforts on the application layer to steal corporate data, there is a rising interest among professionals to develop skills in secure software development.
In parallel with the research, the security association has revealed that more than 1,000 professionals from over 44 countries now hold its CSSLP – Certified Secure Software Lifecycle Professionals – which it says is the only code-language neutral certification that validates that professionals are qualified and capable of incorporating security into each phase of the software development lifecycle.
As if this were not enough, the association says there is a growing interest from software security leaders in the industry to help tackle the skills gap in secure software development.
Five security experts from distinguished organizations – including ArcelorMittal, the Open Web Application Security Project (OWASP), Express Certifications and MITRE – have now joined (ISC)²'s Application Security Advisory Board that was formed last year to create awareness of insecure software development and devise measures to overcome the challenge.
According to (ISC)²', individuals holding the CSSLP certification are professionals with at least four years of industry experience and a thorough understanding of how to break the penetrate and patch testing approach, reduce production costs, vulnerabilities and delivery delays, reduce loss of revenue and reputation due to a breach resulting from insecure software, and ensure compliance with government or industry regulations.
According to Cassio Goldschmidt, CSSLP, a senior manager for product security at Symantec and SAFECode member, the CSSLP certification was introduced three years ago to build a qualified workforce of software security professionals that can address the number one threat vector today: application security threats.
“CSSLP certification ensures that our team understands how to include security throughout the development lifecycle, from conception to design, development and maintenance through disposal. Developing secure software is critical to defending against so many of today’s security threats”, he said.
W. Hord Tipton, CISSP-ISSEP, CAP, CISA, (ISC)²'s executive director, meanwhile said that professionals across the world are lining up to validate their skills in secure software lifecycle development.
“This is proof of the growing need to overcome application vulnerabilities. The data from our 2011 [report] shows an industry that is insecure and in need of investment, education and a change of habit. Through the CSSLP, we are preparing everyone involved in the software development lifecycle with an understanding of and appreciation for security fundamentals so that we can eliminate software as attackers’ favorite port of entry”, he said.