Developer Security Certification


What would happen if Microsoft created a security training and certification program kind of like the MCSD program? Security is clearly something we’re focusing on right now and Rick Samona on my team is going to devote a huge amount of time for the next twelve months on making sure that developers have the resources they need to make sure their code is secure. But what about going the next step? Do you think that companies would be more likely to hire “certified secure” developers? Would it enable developers to charge more for their time? Or is would it be viewed as a marketing ploy?


Personally, I think, if we build the right training program and market it correctly, it could be a good thing all around.


I’d love feedback on this before I invest a lot of time in making it happen.


Comments (10)

  1. With the amount of value currently placed on MCSD (i.e., very little), I can’t really see such a programme having much impact on hiring policy.

  2. I personally believe that the idea of developing a certification for certifying "secure" developers is a great idea. It should be implemented with all due haste. The simple fact of the matter is that Colleges and Universities are lagging far behind in what is actually needed in today’s workforce. There are plenty of network security certifications out there but not enough developer certs. You could have different levels of certification similar to the MCAD/MCSD for instance a cert that focuses mostly on smart clients, one that targets database developers and one that targets web developers and a master certification as well. Also, please do not neglect the Comptia certs as those skills could be applied towards this certification.

    So yes I do believe that this is nessesary and I would be willing to help out as much as I could to get this effort off the ground.

  3. Matt says:

    I think this is a good idea, but instead of developing a program that certifies for security, why not make it a new requirement for the next iteration of MCSD. No developer should be writing "insecure" code. I think this also goes with what MS is trying to accomplish. There is not a WinXP Secure Edition, but rather something that should be ingrained in everything we do.

  4. Ummmm….you do know that the Microsoft Training & Certification folks are already offering developer security exams? The 70-330 and 70-340 exams just went live.

    I’d be happy to see Microsoft offer an MCSD with a concentration in security (though there’s been some criticism in the past about too many different Microsoft certifications), but only as part of the existing certification program – NOT as a separate entity. That would only confuse people even more.

  5. Presently MS is seen by many as being the CAUSE of security problems, not so much the cure. Many people might feel that they would be better off taking courses from groups like SANS, which are basically only in the security business. My $0.02CDN 🙂

  6. Mr Obvious says:

    Humans are the cause of security problems.

  7. Mike has a good point about the existing courses — I was talking more about creating a new cert program. Mike, your point is well-taken and we’ll look into a specific implementation.

    Thanks again everyone for the input.

  8. We already have the exams and corresponding training on Security today:

    330: Implementing Security for Applications with Microsoft Visual Basic.NET

    http://www.microsoft.com/learning/exams/70-330.asp“>http://www.microsoft.com/learning/exams/70-330.asp

    Exams 70-340: Implementing Security for Applications with Microsoft Visual C#.NET

    http://www.microsoft.com/learning/exams/70-340.asp

    Course 2300: Developing Security-Enhanced Web Applications

    Course 2350: Developing and Deploying Secure Microsoft .NET Framework Applications

    Course 2806: Microsoft Security Guidance Training for Developers

    Course 2840: Developing Secure Applications (available July 2004)

    Sun July 18, 2004 06:00 PM

    http://www.microsoft.com/learning/exams/70-330.asp“>http://www.microsoft.com/learning/exams/70-330.asp

    Course 2300: Developing Security-Enhanced Web Applications

    Course 2350: Developing and Deploying Secure Microsoft .NET Framework Applications

    http://www.microsoft.com/traincert/syllabi/2350BFinal.asp

    Course 2806: Microsoft Security Guidance Training for Developers

    http://www.microsoft.com/traincert/syllabi/2806AFinal.asp

    Course 2840: Developing Secure Applications

    http://www.microsoft.com/traincert/syllabi/2840AFinal.asp

    We also already have a specialization for the MCSE on Security:

    http://www.microsoft.com/learning/mcp/mcse/security/windowsserver2003.asp

    I wouldn’t be surprised if the recent exams on Secure Development were part of plan to deliver just what you asked for. Pure speculation at this point, though 🙂

Skip to main content