Software Security Certification

Symantec’s Experience

Cassio Goldschmidt, Sr. Manager

December 9th, 2009

2

The creation of CSSLP

• Convergence among all parties

• Excellent pool of talent from various industries in all meetings

– Independent Software Vendors

– Online Service Providers

– Financial Services Organizations

– Government Organizations

• Rigorous process to create questions

– Psychometrics

– Peer review

– Source requirements

• (ISC)2 proven track record creating certifications

2

Areas where CSSLP adds value

Effective way to educate current staff

• Historically, universities have not integratesecurity with CS education

• Certification maintenance requirements is a good idea

• Does not replace real world practice

– Diplomas do not replace the need for practice either

3

4

Areas where CSSLP adds value

Hiring

4

Old School New School

CSSLP

• One page resume • Keyword driven

• CISSP is already a keyword

5

Areas where CSSLP adds value

Hiring

5

Old School

• One page resume

New School

• Keyword driven

• CISSP is already a keyword

CSSLP

How do you tell a recruiter you need a

professional familiar with all the areas listed

below?

Security Principles

Security Requirements

Secure Software Design

Secure Coding

Secure Software Testing

Vulnerability management and response

The problem Symantec faces today

Most of our flaws are not in our code

Symantec Code54%

Open Source Third Party

46%

Security Incidents in 2009

DESIGN

& REQ.CODE TEST SUPPORT

The problem Symantec faces today

Merges & Acquisitions

7

What should a practitioner do when an

vulnerability is reported by a security

researcher?

How to assess risk?

How to deploy the fix?

How and when customers need to be informed?

What kind of process and techniques can help

to avoid vulnerabilities in the first place?

8

Symantec’s education and process

We don’t teach with certs in mind

8

9

Symantec’s education and process

We don’t teach with certs in mind

9

Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of

Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this

document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to

change without notice.

Thank You!

Cassio Goldschmidt

Sr. Manager, Product Security

Office of the CTO, Symantec Corporation