On Fri, 11 May 2007, Gary McGraw wrote: > What do you think? Can we test someone's software security knowledge > with a multiple choice test? Anybody seen the body of knowledge behind > the test?
I've participated heavily in the development of the test by contributing questions, giving guidance on subject areas, and identifying some of the language-independent, general knowledge categories. While multiple choice isn't perfect, SANS is consulting with a professional organization that has experience in making multiple choice certification-related tests for a variety of industries. They have given us extensive guidance on how to write solid questions. There are multiple checks and balances along the way to improve the quality of the questions. The "blueprints" as provided on the site give guidance to what kinds of questions are asked in the first place. Essay answers or program analysis projects might be able to give a more well-rounded understanding of what a developer does, but that would be subject to too much variation by the people evaluating the test results, not to mention being quite untenable on the scale that this effort is likely to reach. People will try to force this initial exam into being something much more comprehensive and authoeitative than it's intended to be, and there might be some bumps along the way, but - how can the industry afford NOT to try to test secure development skills? This is the first step of many. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
