Another wonderful announcement is the fact that SANS has developed certification exams to test developers' understanding of security and secure code practices. The GIAC Secure Software Programmer has four different language platforms choices -- .NET/ASP, C/C++, Java/J2EE, and Perl/PHP.
This is wonderful news. Among the security world's biggest problems is that most programmers don't care about security, and security people usually don't program. That's one of the major reasons why most programs contain many security vulnerabilities.
While certification tests don't mean you're an expert in a particular subject, they do test your minimal knowledge. As the holder of more than 50 computer certifications, I know that every time I study for a new cert, I learn something I didn't know before. I applaud SANS for its leadership. Along with all the Secure Design Lifecycle courses being taught this year, I think there is finally a maturing set of education options for programmers. Find out more about the new SANS certification exams and learning material at http://www.sans-ssi.org.
Lastly, I often get asked what online security news sources I subscribe to. My favorites include:
*anything from www.securityfocus.com
*the Patch Management mailing list
*InfoWorld (of course)
*Vulnerability Watch (firstname.lastname@example.org)
*Full Disclosure (email@example.com)
Another favorite computer news source, not strictly security-related but always full of interesting stories, is The Register. It's got a British flair and slant to the news stories, and I don't always understand the jargon. But the reporting is topically informative, and it's only fair payback for all the stuff we Americans force on everyone else.
Well, that's all for now. I must get back to communing with nature.