SAFECode News

HOME	PUBLICATIONS	MEMBERS
BIOS	MISSION / FAQ	CONTACT
NEWS & EVENTS	ORGANIZATION	RESOURCES
PRESS KIT	BY-LAWS

SAFECode NEWS and EVENTS >

PRESS RELEASES
* SAFECode Adds NOKIA Mar. 31, 2008
* BEST PRACTICES - Feb. 13, 2008
* SAFECode FORMED - Oct. 23, 2007

MEDIA CONTACT

MULTIMEDIA
* AUDIO CLIPS / PODCASTS

SAFECode IN THE NEWS
ARTICLES

See SAFECode present at these upcoming events:

8th SEMI-ANNUAL SOFTWARE ASSURANCE FORUM
May 6, 2008 - May 8, 2008
Tysons Corner, VA
http://www.bowheadevents.com/swaforum2008/index.cfm

Media Contact

Stacy Simpson
SAFECode
stacy@safecode.org
+ 1 703-926-1963

SAFECode In The News

SC Magazine UK Edition
May, 2008
http://www.scmagazine.com/uk/news/article/804392/software-safe-design/
Software: Safe by design
A new industry alliance promises to pave the way for more secure software. Is SAFECode what we've been waiting for?

Government Computer News
Oct. 23, 2007
http://www.gcn.com/online/vol1_no1/45286-1.html
IT industry creates secure coding advocacy group

vnunet.com
Oct. 23, 2007
http://www.vnunet.com/itweek/news/2201841/industry-launches-initiative
Tech industry launches initiative to boost software security
A major new industry initiative could ensure the quality and security of software

SearchSecurity.com
Oct. 23, 2007
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1278401,00.html
Tech vendors team up for secure software development

Dark Reading
Oct. 23, 2007
http://www.darkreading.com/document.asp?doc_id=137004&WT.svl=wire_1
Major Vendors Form SAFECode

eWEEK.com
Oct. 24, 2007
http://www.eweek.com/article2/0,1895,2206100,00.asp
Tech Foes Join Forces for Secure Code

Computerworld (UK)
Oct. 24, 2007
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5813
RSA 2007: Software firms to share security best practice
SAFECode is first industry-led shared security effort

FederalNewsRadio -- Daily Debrief with Amy Morris
Oct. 25, 2007
http://www.federalnewsradio.com/?sid=1278706&nid=364
(Radio Interview)
The "Justice League" of IT Security

Silicon.com (UK)
Oct. 24, 2007
http://software.silicon.com/security/0,39024655,39168921,00.htm
Tech giants team up for secure software

Press Release -- SAFECode Adds Nokia -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy@safecode.org

FOR IMMEDIATE RELEASE

SAFECode Adds Nokia as Newest Member

Global leader in mobile technology joins industry-led effort to advance software assurance

Arlington, Va. - March 31, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has added Nokia as its newest member. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

"As the global leader in mobile technology, Nokia brings invaluable expertise to SAFECode's efforts," said Paul Kurtz, executive director of SAFECode. "Software underpins the communications and mobile computing infrastructures we've come to rely on in so many ways. SAFECode is thrilled to have the opportunity to work with Nokia to build on the positive work the company has already done to promote assurance best practices across the mobile technology ecosystem."

As a SAFECode member, Nokia will join with subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

"The continuous development of secure technology has always been core to Nokia's commitment to its customers. Participation in SAFECode offers a valuable opportunity to extend our corporate dedication to security and positively influence the security of the communications infrastructure to the benefit of all technology users," said Janne Uusilehto, Head of Nokia Product Security. "We look forward to working with SAFECode's members to promote secure software development practices."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

About Nokia
Nokia is the world leader in mobility, driving the transformation and growth of the converging Internet and communications industries. We make a wide range of mobile devices with services and software that enable people to experience music, navigation, video, television, imaging, games, business mobility and more. Developing and growing our offering of consumer Internet services, as well as our enterprise solutions and software, is a key area of focus. We also provide equipment, solutions and services for communications networks through Nokia Siemens Networks.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- Best Practices -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy@safecode.org

FOR IMMEDIATE RELEASE

SAFECode Outlines Current Industry Best Practices for Software Assurance

New report aims to increase understanding and adoption of the most effective secure development
methods and integrity controls used by technology vendors

Arlington, Va. - Feb. 13, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information technology (IT) products and services through the advancement of effective software assurance methods, today released its first member report, Software Assurance: An Overview of Current Industry Best Practices. The report outlines the secure development methods and integrity controls currently used by SAFECode members to deliver high-assurance systems to government and commercial customers. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp.

"Software assurance is a vital component to ensuring the security of critical information technology resources, and information and communications technology vendors thus have an obligation to address assurance through every stage of application development," said Paul Kurtz, executive director of SAFECode. "As the initial step in our efforts to help the industry meet this important responsibility, SAFECode has identified the assurance best practices that have proven to be effective across its member companies. By sharing this information, we hope to encourage the adoption of these types of practices by other software developers and respond to the growing customer desire for greater visibility into the steps technology vendors are taking to continually improve the security of their products."

Software development processes vary by vendor according to their unique organizational structures and customer requirements. Yet regardless of the methods used, there is a core set of best practices for software assurance and security that apply to diverse development environments. The paper identifies and explains the following security best practices and controls that are currently in use by SAFECode members:

Security Training: A prerequisite to coding secure software is for engineers to be knowledgeable about information security issues that may affect people who use the product.
Defining Security Requirements: Security requirements must be defined during the early stages of product development.
Secure Design: The early design phase must identify and address potential threats to the application and ways to reduce those risks to a negligible level.
Secure Coding: The product development team must implement secure programming practices.
Secure Source Code Handling: The integrity and confidentiality of source code must be protected.
Security Testing: Specialized validation should be implemented to ensure that security requirements and secure design and coding guidelines were followed.
Security Documentation: Documentation for users should include explicit treatment of security issues to help customers understand how to optimally configure security controls, and how configuration options may or may not develop potential security vulnerabilities.
Security Readiness: Prior to releasing a product, the application developer must evaluate, document and assess risks posed by potential security gaps in the product.
Security Response: Any security vulnerabilities (exploited or not) reported against the deployed product should be handled through incident response mechanisms and relayed to the product development or sustaining teams to mitigate the vulnerability.
Integrity Verification: Products must offer customers methods to verify that the software they have acquired is indeed from their trusted vendor.
Security Research: Ongoing research should be conducted into new threat vectors and mechanisms to mitigate them.
Security Evangelism: Leaders in the area of software assurance should promote the use of best practices by discussing their practices and findings in open forums, articles, papers and books.

"Vendors who have implemented these best practices have seen dramatic improvements in software product assurance and security," said Kurtz. "We encourage all software developers and vendors to consider, tailor and adopt these practices into their own development environments. The result of efforts like these will be a higher level of end-user confidence in the quality and safety of software that underpins critical operations in governments, critical infrastructure and businesses worldwide."

In the coming months, SAFECode will issue a number of reports building on these high-level best practices to offer specific and actionable information on the key concepts, principles, and research and development activities the organization is pursuing to improve software assurance and security.

A full copy of Software Assurance: An Overview of Current Industry Best Practices is available for download at http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf. The paper also includes eight important questions that organizations should ask vendors during the procurement process to help evaluate the software assurance of products or vendor engagements.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Formed -- Download Press Release as pdf

Leading Technology Companies Form Industry Group to Advance Software Assurance

SAFECode to promote best practices for the delivery of more secure and reliable software, hardware and services

Paul Kurtz named executive director

Arlington, VA. and London (RSA Conference Europe) -- Oct. 23, 2007 -- A group of leading information and communications technology companies today announced the formation of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information technology (IT) products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG, and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

As the global dependence on information and communications technology has grown, users have become increasingly concerned over the integrity, security and reliability of software, hardware and services, especially those in the government, critical infrastructure and enterprise sectors. The need to reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity has never been more important than in today's increasingly complex and dynamic threat environment. To help achieve these objectives and strengthen the security of the IT ecosystem, SAFECode unites key stakeholders in an effort to advance software assurance by developing and promoting a set of methods for secure product development and integrity controls that protect software, hardware and services across the global supply chain.

While individual companies have implemented effective methods for developing and delivering more secure and reliable software, hardware and services, there has been no coordinated, industry-led effort to build upon this positive work and promote best practices to advance software assurance more broadly. SAFECode fills this critical gap by bringing together subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

Increase understanding of the secure development methods and integrity controls used by vendors
Promote proven software assurance practices among vendors and customers to foster a more trusted ecosystem
Identify opportunities to leverage vendor software assurance practices to better manage enterprise risks
Foster essential university curriculum changes needed to support the cyber ecosystem
Catalyze action on key research and development initiatives in the area of software assurance

To help SAFECode achieve its objectives, the organization has named Paul Kurtz, a recognized cyber security expert, as its executive director. Currently a partner at Good Harbor Consulting LLC, Kurtz most recently served as the founding executive director of the Cyber Security Industry Alliance (CSIA). Prior to CSIA, he served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush.

"Software assurance is a critical element of IT ecosystem security. By building on the positive work already done in this area by individual firms and encouraging broader adoption of proven best practices for the development and delivery of more secure technology products and services, SAFECode has a unique opportunity to significantly impact the overall security and reliability of the cyber infrastructure," said Paul Kurtz, executive director of SAFECode. "With the support of its founding members, SAFECode will work to meet the growing demand for information and dialogue on software assurance and increase the trust in IT and communications products and services."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in IT technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. In addition, SAFECode will be assembling an advisory of government leaders and critical infrastructure operators from around the globe to better understand and respond to key software assurance challenges.

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. For more information, please visit www.safecode.org.

Media Contact:
Stacy Simpson
+ 1 703 926 1963
Stacy@safecode.org

Membership Contact:
Robert Knake
+ 1 703 812 9199
Rob@safecode.org

Articles

Latest issue of ENISA Quarterly Magazine Online
Oct. 25, 2007
This issue focuses on Secure Software - From the World of Security Experts.
http://www.enisa.europa.eu/doc/pdf/publications/enisa_quarterly_12_07.pdf

Audio Clips / Podcasts

WAMU NPR: Cyber Threats
Jun. 25, 2008
Diane Rehm talks with Paul Kurtz, Alan Paller, Stephen Spoonamore, and Congressman Jim Langevin about growing concerns over cyber attacks in the public and private sectors.
http://podcastdownload.npr.org/anon.npr-podcasts/podcast/305/510071/91879571/WAMU_91879571.mp3
51:20 Podcast

IT Week Podcast: RSA Conference Europe
Oct. 25, 2007
This week David Neal talks to Phil Muncaster about the latest news coming from the annual RSA Conference Europe event in London's ExCel.
MP3 (5.6 MB) - http://images.vnunet.com/v7_static/itw/podcasts/IT-Week-Podcast-25-October.mp3
Podcast