Assessment Overview

Assessment Overview

Free Assessment Information

To receive a free assessment for yourself or up to 25 developers please email

While the GSSP certification is important to many programmers, large enterprises have expressed the need to evaluate programmer skills without necessarily incurring the time and cost of full certification. For those organizations, SANS Software Security has developed a web based assessment and reporting tool. The assessment questions are developed using the same, robust process used for the GSSP but the web-based approach allows large numbers of programmers to take the assessment.

The assessment offers a larger number of questions than the short practice exams. They also offer additional value for large enterprise with many programmers. Custom questions and reports can also be used to 'roll up' results for comparison and decision making.

The GIAC Secure Programming Skills assessment focuses on the real issues that create the most common vulnerabilities and security issues in applications. The assessment helps developers identify areas where they have knowledge gaps and confirms those areas where skills already exist. The assessment is also a good measure of whether an individual is ready to pursue the full GIAC Secure Software Programmer (GSSP) certification or whether more study is required.

The assessments are much more than the typical general overview of secure programming topics. They are technical and language specific (e.g. Java or C). Many of the questions use real code examples, so practical and current programming experience in the designated language is a must. After you complete the assessment, you can review how well you mastered the material, and also view / print a report documenting your results. Since this is an assessment (and not a formal certification exam) there is not a 'passing score'. Instead, the report provides detailed breakdown of performance for each task covered on the exam. This will enable you to target your learning objectives. Unless otherwise agreed, your specific results will be confidential.

There are now hundreds of programmers who have taken either the certification exam or the assessments for Java and C. We realize "it is just an assessment" and some will argue the finer points about what should be included or omitted or whether a given question is "perfect". However, in the big picture, the assessment will give you a very good idea of your skill level based on a standard that is seeing a very rapid adoption rate. Even if you don't do well, you should NOT think of the results as a "failure". The program is designed to help identify learning needs. Use it for that purpose and we can all take the first steps on this critical journey to improve the defensive posture of our applications and make the job of the "bad guy" as difficult as possible.

If you are interested in an individual assessment, you can register here.

For enterprises interested in using the assessments, send an email to