(ISC)2, caretaker of the well-known Certified Information Systems Security Professional (CISSP) designation, has developed a new certification that tackles a big issue: development of secure software.

With the just-announced Certified Secure Software Lifecycle Professional (CSSLP) designation, (ISC)2 wants to ensure that developers take a more holistic approach to software security, and make sure security is built into each product from the beginning, rather than be tacked on at the end.

The cert “aims to stem the proliferation of security vulnerabilities resulting from insufficient development processes by establishing best practices and validating an individual’s competency in addressing security issues throughout the software lifecycle,” (ISC)2 says in a Sept. 25 announcement. “Code-language neutral, it will be applicable to anyone involved in the [software lifecycle], including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers.”

CSSLP tests seven domains: secure software concepts; secure software requirements; secure software design; secure software implementation and coding; secure software testing; software acceptance; and software deployment, operations, maintenance and disposal. You can check out more details on the program’s Web site. 

I learned a bit more about the CSSLP recently when I interviewed W. Hord Tipton, executive director of (ISC)2 and former CIO of the U.S. Department of the Interior. Read on for Tipton’s take on the new certification, job prospects and other issues affecting security professionals.

What’s the career outlook like for security professionals?

Everything I’ve read has it right on top of the list. I think what we know about the threats and continuing challenges, is that there’s no way it’s going to lessen. The demand really is increasing.

Because computer security is becoming more complicated.

More complicated, people becoming more creative with the Web 2.0, with Web 3.0 just around the corner. It’s a constant pull and tug between securing the things in a preventative manner or doing it after [software developers have] built it and you're trying to figure out how to patch the holes behind them.

Can you give me a rundown on the new certification?

There’s been a longstanding view that software assurance has not really advanced as quickly as one would like. Companies are still under a lot of criticism for producing software that is still full of vulnerabilities. [Questions include] who bears the cost of breach, who bears the cost of repairing something once it’s been deployed. There has not been a holistic view of how you address the problem, or even identify what the problem is, and something different needs to take place here.

We spent two years on this in terms of researching, collaborating with software vendors, users, just to try to get a feel for what would be the best approach to developing professionals that could actually address the problem from a holistic view. We’re always saying from a security end of it, bake security in. Don’t bolt it on at the end, it’ll cost you 30 to 100 times as much money.

What kinds of IT pros should get this certification?

It’s not a technical certification. On the other end of the spectrum, it’s not a managerial certification, it’s somewhere in the center. [The certification could be for] someone who has managed a software project and has some experience, it doesn’t necessarily have to be code writing, but in terms of gathering requirements, shaping a proposal, and doing the design work.

Is it significantly different from the previous credentials offered by ISC2?

We look at it as a companion certification to the CISSP. This is kind of the first time we have put one foot outside the security realm and we’re trying to integrate the security with the software. Heretofore CISSP walks the security path. This one goes into conceptual design, requirements gathering and deployment, maintenance and disposal. Security architects are a target for this.

In general, where is the most demand for (ISC)2 certifications?

CISSP dominates just about everything we do. The practitioner, the SSCP (systems security certified practitioner) is one that’s starting to catch on. That is more of a technical credential, for people working day to day on the line in any particular area of security. Worldwide, the CISSP is the gold standard, it’s the one that’s most recognized outside the security world.

How do you prepare for the new certification exam? Are there courses, or is it based on your existing knowledge?

We’re opening it up for a six-month period, until March, with what we call an experience assessment. The requirement is if those folks can demonstrate they have expertise through written essays and examples on four of the seven domains, then they can get early certification. After that window closes, we begin official training and education seminars to the public, to corporations. Next June the only way to get the credential will be through passing the exam.

Why is this certification important?

We haven’t seen the pattern of success that we’ve expected over the past few years. The business side, governments are saying we as users of this software are tired of paying to repair and patch this software. And that’s the hidden cost. Most people … write a check and don’t realize that 80% of the cost of running that application comes afterwards on the maintenance side.

Do you have any more certifications in the works?

I personally think there’s enough alphabet soup out there. And if you’re going to launch one you better be sure you’re unique, it better fit, it better serve a purpose.

CIOs don’t always give security the consideration it deserves. How do IT pros need to go about getting their needs recognized?

You have to reach out to them. I know what it takes to get into the office of a CIO. Unfortunately, security is a transparent world. If they don’t have an emergency and they’re just reading about somebody else’s emergency, [it’s hard to get people to pay attention]. At this point money generally is dispersed on the basis of who has the biggest crisis. If you haven’t been breached, the computers are working, you’re doing a decent job controlling spam and malware, you’ve got decent procedures on data leakage, and nobody seems to be bleeding to death, you have a hard time getting attention.

Jon Brodkin is senior writer at Network World.