Developer Security Certification

What would happen if Microsoft created a security training and certification program kind of like the MCSD program? Security is clearly something we're focusing on right now and Rick Samona on my team is going to devote a huge amount of time for the next twelve months on making sure that developers have the resources they need to make sure their code is secure. But what about going the next step? Do you think that companies would be more likely to hire “certified secure” developers? Would it enable developers to charge more for their time? Or is would it be viewed as a marketing ploy?

Personally, I think, if we build the right training program and market it correctly, it could be a good thing all around.

I'd love feedback on this before I invest a lot of time in making it happen.

Comments

• Anonymous
  July 11, 2004
  With the amount of value currently placed on MCSD (i.e., very little), I can't really see such a programme having much impact on hiring policy.
• Anonymous
  July 11, 2004
  I personally believe that the idea of developing a certification for certifying "secure" developers is a great idea. It should be implemented with all due haste. The simple fact of the matter is that Colleges and Universities are lagging far behind in what is actually needed in today's workforce. There are plenty of network security certifications out there but not enough developer certs. You could have different levels of certification similar to the MCAD/MCSD for instance a cert that focuses mostly on smart clients, one that targets database developers and one that targets web developers and a master certification as well. Also, please do not neglect the Comptia certs as those skills could be applied towards this certification.
  
  So yes I do believe that this is nessesary and I would be willing to help out as much as I could to get this effort off the ground.
• Anonymous
  July 11, 2004
  I think this is a good idea, but instead of developing a program that certifies for security, why not make it a new requirement for the next iteration of MCSD. No developer should be writing "insecure" code. I think this also goes with what MS is trying to accomplish. There is not a WinXP Secure Edition, but rather something that should be ingrained in everything we do.
• Anonymous
  July 11, 2004
  Ummmm....you do know that the Microsoft Training & Certification folks are already offering developer security exams? The 70-330 and 70-340 exams just went live.
  
  I'd be happy to see Microsoft offer an MCSD with a concentration in security (though there's been some criticism in the past about too many different Microsoft certifications), but only as part of the existing certification program - NOT as a separate entity. That would only confuse people even more.
• Anonymous
  July 11, 2004
  Presently MS is seen by many as being the CAUSE of security problems, not so much the cure. Many people might feel that they would be better off taking courses from groups like SANS, which are basically only in the security business. My $0.02CDN :)
• Anonymous
  July 11, 2004
  Humans are the cause of security problems.
• Anonymous
  July 11, 2004
  Mike has a good point about the existing courses -- I was talking more about creating a new cert program. Mike, your point is well-taken and we'll look into a specific implementation.
  
  Thanks again everyone for the input.
• Anonymous
  July 11, 2004
  We already have the exams and corresponding training on Security today:
  
  330: Implementing Security for Applications with Microsoft Visual Basic.NET
  
  http://www.microsoft.com/learning/exams/70-330.asp">http://www.microsoft.com/learning/exams/70-330.asp
  
  Exams 70-340: Implementing Security for Applications with Microsoft Visual C#.NET
  
  http://www.microsoft.com/learning/exams/70-340.asp
  
  Course 2300: Developing Security-Enhanced Web Applications
  
  Course 2350: Developing and Deploying Secure Microsoft .NET Framework Applications
  
  Course 2806: Microsoft Security Guidance Training for Developers
  
  Course 2840: Developing Secure Applications (available July 2004)
  
  Sun July 18, 2004 06:00 PM
  
  
  
  ---
  
  
  
  
  http://www.microsoft.com/learning/exams/70-330.asp">http://www.microsoft.com/learning/exams/70-330.asp
  
  Course 2300: Developing Security-Enhanced Web Applications
  
  Course 2350: Developing and Deploying Secure Microsoft .NET Framework Applications
  
  http://www.microsoft.com/traincert/syllabi/2350BFinal.asp
  
  Course 2806: Microsoft Security Guidance Training for Developers
  
  http://www.microsoft.com/traincert/syllabi/2806AFinal.asp
  
  Course 2840: Developing Secure Applications
  
  http://www.microsoft.com/traincert/syllabi/2840AFinal.asp
  
  We also already have a specialization for the MCSE on Security:
  
  http://www.microsoft.com/learning/mcp/mcse/security/windowsserver2003.asp
  
  I wouldn't be surprised if the recent exams on Secure Development were part of plan to deliver just what you asked for. Pure speculation at this point, though :-)
• Anonymous
  July 11, 2004
  :-)
  
  Thanks.