Six awesome certs to help you lock down unsecured apps

Home Depot storefront

Security incidents have dominated the headlines for the past few months. Home Depot, SnapChat and Kickstarter are among the many famous brand names that suffered high profile, embarrassing breaches of customer information. Companies around the world are now taking this opportunity to review their security programs and ensure they have adequate measures in place to prevent becoming the next headline.


The common theme throughout all of these incidents is that each company operates a complex application infrastructure that may have provided hackers a gateway into sensitive customer information. Home Depot uses a point-of-sale application to process transactions at thousands of cash registers throughout the country. SnapChat operates a mobile application that allows the "temporary" sharing of pictures between end users. Kickstarter operates a web-based application facilitating payments for crowd-funded business ventures.


This proliferation of applications leads to demand for security professionals who are highly skilled in the art of software security. IT staffers seeking to advance their careers can take advantage of a variety of application security certifications to help build their resumes and open new opportunities. In this article, we examine six of the best certifications available for those seeking to build a career in application security.


Certified Secure Software Lifecycle Professional (CSSLP)


The International Information Systems Security Certification Consortium, also known as (ISC)2, is perhaps the most well-known security certifying body. Their CISSP credential is widely considered the gold standard certification for IT security practitioners. The group's CSSLP certification is less well-known, but carries equal prestige among security professionals. The CSSLP program offers a well-rounded overview of software security, covering eight specific domains:


  • Secure software concepts
  • Secure software requirements
  • Secure software design
  • Secure software implementation/coding
  • Secure software testing
  • Software acceptance
  • Software deployment, operations, maintenance and disposal
  • Supply chain and software acquisition


The curriculum spans all types of software applications, including traditional client/server apps, mobile apps and web applications.


Individuals seeking CSSLP certification must clear two hurdles. First, they must pass a lengthy examination consisting of 175 multiple choice questions covering the eight CSSLP domains. Second, they must have at least four years of experience working in one or more of the eight domains. It is possible to substitute a four-year degree in computer science or a related field for one year of experience. Individuals without the necessary experience may take the exam and then have five years to complete the experience requirement.


GIAC Certified Web Application Defender (GWEB)


Credentials offered through the SANS Institute's Global Information Assurance Curriculum (GIAC) are traditionally considered the "Master's degrees" of IT security certifications. GIAC offers narrowly focused, highly technical certifications for those who are experts in particular security subfield. Web application security professionals with strong backgrounds may wish to consider earning GIAC's GWEB certification. Currently, only 322 individuals worldwide hold this elite certification and their skills are in high demand.


The certification program focuses specifically on securing web applications against attack. GWEB candidates should have a strong background in detecting and preventing common web security flaws, including SQL injection, cross-site scripting and cross-site request forgery. Candidates must also demonstrate mastery of other areas of web application security, such as authentication and authorization, session management and input validation.


Earning the GWEB certification requires passing a single 75 question examination available through Pearson VUE proctored examination sites. Students have 3 hours to complete the exam and must achieve a score of 68% to pass.


GIAC Secure Software Programmer (GSSP)


While the GWEB certification focuses specifically on web applications, GIAC also offers certifications focused on traditional software developers. The Secure Software Programmer program consists of two credentials – the GSSP-JAVA credential for Java programmers and the GSSP-.NET credential for Microsoft .NET platform developers. These credentials are useful for a wide range of application professionals with security responsibilities, including developers, penetration testers and quality assurance staff.


The range of topics covered by the GSSP program includes securing the software development lifecycle, exception handling, authentication and authorization, data validation, encryption, and common attacks. The exams for both GSSP certifications are 75 question tests administered electronically through Pearson VUE. Students have three hours to complete either exam. GSSP-JAVA candidates must achieve a passing score of 73.3% while GSSP-.NET candidates must answer at least 66% of questions correctly.


Certified Application Security Specialist (CASS)


The Information Assurance Certification Review Board (IACRB) offers the CASS credential designed to assess an individual's ability to develop and evaluate secure applications. Unlike the language-specific GSSP credential, the CASS curriculum includes coverage of many different languages and technologies. Successful candidates must demonstrate a mastery of security issues surrounding the development of applications with .NET, Java, SQL Server, Oracle, AJAX and a variety of other technologies.


Many students approach the CASS exam after taking a training course that offers a proctored exam at the end of the session. Unlike other credentials, CASS is not available through a computer-based testing network. There are three options for taking the exam. Candidates who do not participate in an exam proctored through an on-site provider may also take the exam online through their employer. Those who do not fit either of those criteria must sit for the public exam at one of the IACRB testing centers in Virginia, Texas, Illinois, California or Nevada. Students are required to complete both a multiple-choice examination and a hands-on practical exam before being awarded the CASS credential.


Certified Ethical Hacker (CEH)


While not a pure application security credential, the CEH program offers application security professionals the ability to demonstrate their skills in a wide range of attack mechanisms. Many of the topics on the exam center around application security topics, including SQL injection, session hijacking, and buffer overflows. The CEH credential complements these with other security topics, including malware, reconnaissance, network hacking and cryptography. This credential is an excellent opportunity for someone seeking a career as a penetration tester with application security responsibilities.


The CEH exam consists of 125 questions administered over a 4-hour period. Candidates must answer 70% of the questions correctly to earn CEH certification. The exam is available through both Prometric and Pearson Vue testing centers. CEH candidates must meet education and/or experience requirements before sitting for the exam. Candidates may either complete an official training program or demonstrate that they have two years of experience and an educational background in information security.


Certified Information Systems Security Professional (CISSP)


The CISSP credential from (isc)2 remains the premier certification for information security professionals. While it is not focused on application security, many employers consider the CISSP as a minimum requirement for senior security-related positions. Individuals seeking to build a career in information security should make the CISSP program part of their professional development plans.


CISSP candidates must demonstrate experience in two or more of the domains of information security over a period of four years. The CISSP also requires completing a computer-based examination through Pearson Vue. The exam consists of 250 questions that students must complete in six hours. Passing requires a scaled score of 700 out of 1000 possible points.


Application security certification programs offer an excellent pathway into an exciting career field. As the application economy grows, demand will only increase for individuals with the skillset required to build, maintain and test secure applications. Now is an excellent time for technology professionals to pursue these certifications and build skills that will retain value for years to come.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.