GSSP-.NET Certification Bulletin
(Part 2 of Candidate Handbook)
- Type:
- Certification
- Target:
Individuals who are responsible for coding secure software applications using .NET, identifying shortfalls in the security knowledge of other programmers, ensuring other programmers have adequate secure coding skills, and advanced secure programming skills.
The GIAC Secure Software Programmers certification allows candidates to demonstrate mastery of the security knowledge and skills needed to deal with common programming errors that lead to most security problems.
GIAC Certified secure software programmers (GSSP) have the knowledge, skills, and abilities to write secure code and recognize security shortcomings in existing code.
- Requirements:
- 1 proctored exam - 100 questions - 4-hour time limit - 67% (67 of 100 questions) minimum passing score
- Renewal:
- Every 4 years
The topic areas for each exam part follow:
| Exam Certification Objectives | Certification Objective Outcome Statement |
|---|---|
.NET HTTP Modules and HTTP Handlers | .NET programmers must demonstrate familiarity with HTTP Modules and HTTP Handlers and how they can be used to increase the security of ASP.NET applications. |
Access Control APIs | .NET programmers must demonstrate an understanding of the ASP.NET Membership and Role Providers, as well as the difference between Principals and Identities. |
Authenticate Principles | Programmers must demonstrate an understanding of when to authenticate (trust-boundary), C.A.P.T.C.H.A., multi-factor authentication, and re-authentication. |
Authentication Protection | .NET programmers must demonstrate an understanding of how to use encryption and certificates to protect various authentication processes, as well as how to use HTTP and HTML properties to protect Web-based authentication. |
Authentication Techniques | .NET programmers must demonstrate familiarity with the more common authentication techniques and API's available within .NET Framework, as well as an understanding of the security implications of using ASP.NET Forms authentication. |
Class-level Security | .NET programmers must demonstrate familiarity with accessibility modifiers and how they can be used to protect classes, class members, and class methods. Programmers should also understand class comparisons, serialization, clone-ability, and nested classes. |
Code Privileges | .NET Programmers must demonstrate an understanding of how to manage the privileges of code as well as the different protection domains. |
Communications Encryption | .NET programmers must demonstrate an understanding of which of an application’s external connections to protect with encryption and how to utilize the cryptographic services provided by the .NET Framework to protect the communication channel. |
Configuration of Error Handling | .NET developers must demonstrate familiarity with the configuration and use of customErrors and errorPage. |
Database Access | .NET programmers must demonstrate an understanding of the security risks of improperly handling input and output from databases, as well as the identities used to access database resources. |
Declarative and Imperative Permissions | .NET developers must demonstrate an understanding of how to use declarative permissions to limit the permissions that code requires at the assembly, class, and method levels. |
Encryption of Data at Rest | .NET developers must demonstrate an understanding of how to store sensitive data in an encrypted format. This includes familiarity with common encryption API's, .NET random number generation, and the facilities within the framework for encrypting configuration data. |
Exception Handling | .NET developers must demonstrate an understanding of how to appropriately handle system exceptions. |
How to Protect | .NET Programmers must demonstrate an understanding of access schemes that are defined via configuration files or attributes (Declarative) and schemes that are defined by active checks in custom code (Imperative). |
Input Validation Principles | NET programmers must understand that input validation is an important part of building a trust boundary, input should not be trusted, regardless of its source. Programmers must understand strong typing vs. weak typing vs. no typing and what that means for Input Validation threats. |
Input Validation Sources | .NET programmers must demonstrate an understanding of common sources of input to .NET applications. For example, HTTP requests, serialized streams, configuration files, back-end databases, etc. |
Input Validation Techniques | .NET programmers must demonstrate an understanding of how to validate both simple and complex data types. |
Integer and Double Overflows | .NET programmers must demonstrate an understanding of the limitations of .NET's numerical data types and the resulting security implications. |
Logging | .NET programmers must demonstrate an understanding of the principles behind logging security-relevant events, as well aswhat information should and should not be logged in order to ensure non-repudiation, reconstruct an attack, or prevent sensitive information from being logged. |
Object Serialization | .NET developers must demonstrate an understanding of the security impact of serialization and how to safely and securely enable this functionality. |
Output Encoding | .NET programmers must demonstrate an understanding of when and how to use output encoding for both XML and HTML data, as well as an understanding of how to use Microsoft Anti-XSS library and understand the encoding facilities provided by the standard ASP.NET controls. |
Secure Coding Principles | .NET programmers must demonstrate familiarity with technology independent security coding principles such as least privilege, secure initialization, separation of data from code, typechecking, shallow vs. deep copy, global variables, securely formed if and while statements, bounds checking, function complexity, off-by-one errors, encapsulation, and the differences between managed and unmanaged code. |
Session Protection | .NET programmers must demonstrate an understanding of the implications topics including encryption, token strength-of-function, active and inactive timeouts, re-issuance, as well as cookie management. |
Session State Management | .NET programmers must demonstrate an understanding of the differences between the different Session State modes and the advantages and disadvantages of each. |
Singletons | .NET developers must demonstrate an understanding of when a Singleton is needed and how to implement the Singleton pattern in .NET. |
String Comparisons | .NET programmers must demonstrate an understanding of how to properly compare two System.String objects in a language and locale independent way. |
String Immutability | .NET programmers must demonstrate an understanding of the immutability property of System.String and how to effectively use the System.Security.SecureString class. |
Thread Safety | .NET programmers must demonstrate an understanding of race conditions, deadlock, starvation, and how each can affect system security, as well as be able to effectively use the collection classes in a thread safe manner, multi-threading considerations for static class members, instance variables, and volatile fields. |
ViewState | .NET application developers must demonstrate an understanding of how to utilize .NET's viewstate and how this affects the security of session data. |
What to Protect | .NET programmers must demonstrate an understanding of how to actively protect accesses to system data objects (resources) and system functionality (functions). |
Where to Get Help
Training is available from a variety of resources including on line, course attendance at a live conference, and self study.
Practical experience is another way to ensure that you have mastered the skills necessary for certification. Many professionals have the experience to meet the certification objectives identified.
Finally, college level courses or study through another program may meet the needs for mastery.
The procedure to contest exam results can be found at http://www.giac.org/grievance.php.
