VSJ – September 2007 – Work in Progress

Alan Paller, Director of Research at the SANS Institute, discusses its recently announced Secure Software Institute with Robin Jones.

Robin Jones: I think most people in the IT business know the SANS name. But I’d be less sure that they’re all familiar with the Institute’s background, philosophy, aims and so on. So perhaps you could start by introducing it with a brief history.

Alan Paller: SANS is primarily an educational institution – in fact in 2005 we were licensed to grant Master of Science degrees by the state of Maryland.  We provide the very advanced technical security training needed by the FBI and other law enforcement people, DoD, NSA, and other government agencies, major banks, and thousands of other organizations in 60 countries. More than 66,000 people have taken immersion training courses from SANS. But no training can keep up with the rapidly mutating threat picture so we run a major research program to keep our alumni current on the newest attack patterns and defences. For example we operate the Internet Storm Centre – the early warning system for the Internet and publish the definitive weekly summary of all newly discovered vulnerabilities. We started in 1989 with a few courses on UNIX security and now have more than 56 different courses ranging from forensics to auditing to Windows and wireless security to hacker exploits.

RJ: So the Secure Software Institute, whose UK launch you held last May, represents a natural progression?

AP: It’s really a way of helping the most important element of the IT industry – the programmers – make the security problems less difficult. So it’s a new audience for us, but a natural progression of problem solving.  Many programmers never thought that malicious people might try to damage their programs. Once they discover how many are trying to do exactly that, they are clamouring for help. SSI was set up to provide that help.

RJ: What do you see as the main goals of the SSI?

AP: Actually 360 organizations (from ABN-AMRO to Siemens to Intel to Tata) have answered that question for us. Here are the top five reasons they gave for agreeing to help us build the SSI:

  • To identify where our programmers have secure programming knowledge weaknesses,
  • To teach our programmers the secure coding rules they do not already know.
  • To ensure our software vendors and consultants have programmers with solid secure programming skills.
  • To evaluate candidates being interviewed for programming positions.
  • To select people for critical projects so we can be sure they have the secure programming skills needed.
  • To provide strong incentives to colleges and universities to ensure potential programmers do not graduate without mastering secure programming skills.

RJ: How do you plan to help achieve these goals in the programming community at large?

AP: Step one is to build a series of blueprints and examinations – one in each major programming language (C, C++, Java, Perl., PHP, .NET). The blueprints are industry-wide consensus documents showing the key rules that secure programmers apply to their code.  The exams (or Secure Programming Skills Assessments – SPSAs) are code-based tests that enable programmers to assess which of the rules they can apply effectively in real-world situations.  All of the goals can be met if the blueprints are right and the tests are widely available and trusted.  So that’s what we will try to do.

RJ: How have you gone about identifying the components to be tested in a SPSA?

AP: We have gathered the people who know the field better than anyone else and through extraordinary effort brought them to consensus. That includes OWASP and all the vendors of secure code scanning tools and the people who wrote the major books and the people who do in depth code assessment from DoD and many more. Then we opened their consensus up to public scrutiny for two months. These blueprints are extraordinarily well targeted on the specific flaws that cause most of the problems and yet cover the remaining rules quite thoroughly.

RJ: I understand you’ve already piloted SPSAs with a number of organisations. How have these pilots been received?

AP: The fascinating results were that the programmers enthusiastically adopted them and wouldn’t quit even when time was up – saying, “we want to know what we don’t know.”  In the eighteen years I have been involved in security I have never before seen a new initiative with fewer critics. It’s amazing to us how many people and organizations have been waiting for these assessments.

RJ: Have they led to any major changes in SPSA design?

AP: The reviews have led to huge changes – separating C and C++ into two exams, changing the test questions to have longer code snippets and multiple questions, getting rid of ambiguity – things like that.

RJ: The IAP is always keen to add value for its members. Can SANS offer any discount to IAP members?

AP: We can co-sponsor test administration in ways that substantially reduce the costs for the participants.

Find out more from John Fitzgerald, Director of EMEA Programmes, the SANS Institute, on 020 8 090 4688 or email jfitzgerald@sans.org. John tells us he will offer IAP members a 10% discount on each SPSA taken.

[Interesting project or development? Let us know at eo@iap.org.uk!]

Comments are closed.