Educause Security Discussion mailing list archives
Training and certification for web developers
From: Steven M Werby/FS/VCU <smwerby () VCU EDU>
Date: Thu, 7 May 2009 15:56:23 -0400
Do your institutions require your web developers to demonstrate their web applications security knowledge (and skills) in order to develop applications? If so, I'm interested in how this was done and what challenges have been encountered. I inherited a standard which includes the following: Web application administrators must be certified using the certification process described below. Web application administrators are responsible for the security of the web applications and must ensure that web application programmers/developers under their supervision maintain a level of security expertise that includes up-to-date knowledge of web application security and techniques for secure web programming. The now deprecated GIAC GWAS cert is mentioned as an approved option, as well as the SANS secure coding courses which don't have an associated certification. I'm not currently enforcing this component of the standard. I haven't ruled anything out so anything from mandatory internal training including a test to external training with 3rd-party certification is a possibility. We're a fairly large decentralized university, with "developers" range from trained IT professionals to non-IT graduate students hacking code they found through Google and don't understand. Suggestions? -- Steve Werby Information Security Officer Virginia Commonwealth University VCU Information Security - http://infosecurity.vcu.edu/ Information Security News, Tips & More - http://www.twitter.com/vcuinfosec Information Security Best Practices - http://infosecurity.vcu.edu/docs/information-security-best-practices.pdf
Current thread:
- Training and certification for web developers Steven M Werby/FS/VCU (May 07)