Security Development Conference
May 14-15, 2013
San Francisco, CA

Security-focused stories: Implementation tips in Agile development environments
Agile Record Magazine
Vishal Asthana, Rohit Sethi
February 2013
http://www.agilerecord.com/agilerecord_13.pdf

Cyber forecast for 2013: 4 areas where the stakes are raised
Government Computer News
By Bill Jackson
December 21, 2012
http://gcn.com/Articles/2012/12/21/Cyber-forecast-2013-stakes-raised.aspx?Page=1

After Five Years, SAFECode Sees Software Security Progress, But Challenges Remain
Threatpost
The Kaspersky Lab Security News Service
By Dennis Fisher
October 23, 2012
http://threatpost.com/en_us/blogs/after-five-years-safecode-sees-software-security-progress-challenges-remain-102312

I Programmer
SAFECode Guidance for Agile Practitioners
By Alex Armstrong
July 30, 2012
http://www.i-programmer.info/news/99-professional/4558-safecode-guidance-for-agile-practitioners.html

SD Times
SAFECode guides agile developers in security
By Suzanne Kattau
July 23, 2012
http://sdt.bz/36820#ixzz21YKGm6e6

Help Net Security
Software security guidance for Agile practitioners
July 20, 2012
http://www.net-security.org/secworld.php?id=13281

FierceCIO
Vendor coalition issues guidelines for safer code
By Caron Carlson
July 19, 2012
http://www.fiercecio.com/story/vendor-coalition-issues-guidelines-safer-code/2012-07-19

SecurityWeek
Industry Group Releases Security Guidelines for Agile Development
By Fahmida Y. Rashid
July 18, 2012
http://www.securityweek.com/industry-group-releases-security-guidelines-agile-development

Network World
Microsoft, Juniper, others in coding consortium issue guidelines for safer applications
By Tim Greene
July 18, 2012
http://www.networkworld.com/news/2012/071812-safecode-260989.html

Government Computer News
Fresh advice on building safer software
By Bill Jackson
February 8, 2011
http://gcn.com/Articles/2011/02/08/SAFECode-secure-software-development-guide.aspx?Page=1

Dark Reading
SAFECode Issues Best Practices For Writing Secure Code
By Kelly Jackson Higgins
February 8, 2011
http://www.darkreading.com/database-security/167901020/security/application-security/229204126/safecode-issues-best-practices-for-writing-secure-code.html

SC Magazine
SAFECode updates secure development guide
By Angela Moscaritolo
February 8, 2011
http://www.scmagazineus.com/safecode-updates-secure-development-guide/article/195902/

SC Magazine
Top of the heap: 2010's IT security luminaries
By SC Magazine Staff
December 1, 2010
http://www.scmagazineus.com/top-of-the-heap-2010s-it-security-luminaries/article/191400/

SD Times
From the Editors: Opening up about security
By SD Times Editorial Board
Aug 15, 2010
http://www.sdtimes.com/content/article.aspx?ArticleID=34557&page=1

SD Times
Black Hat conference fields suggestions for software security
By David Worthington
July 28, 2010
http://www.sdtimes.com/content/article.aspx?ArticleID=34518&page=1

SC Magazine
Supply subversion
By Angela Moscaritolo
July 1, 2010
http://www.scmagazineus.com/supply-subversion/article/172654/
Note: Registration is required

SD Times
SAFECode outlines path to complete code integrity
By Katie Serignese
June 28, 2010
http://www.sdtimes.com/SAFECODE_OUTLINES_PATH_TO_COMPLETE_CODE_INTEGRITY/By_Katie_Serignese/About_SAFECODE/34445

Dark Reading
Why Can't Johnny Develop Secure Software?
By Tim Wilson
June 16, 2010
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700320&cid=RSSfeed_DR_News

ThreatPost
New Study Sees Need for Better Software Integrity Controls
By Dennis Fisher
June 14, 2010
http://threatpost.com/en_us/blogs/new-study-sees-need-better-software-integrity-controls-061410?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

Government Computer News
Software supply chain security is target of industry group best practices
By Bill Jackson
June 14, 2010
http://gcn.com/articles/2010/06/14/safecode-supply-chain.aspx

Dark Reading
New Paper Outlines Potential Vulnerabilities In Software Supply Chain
By Tim Wilson
June 14, 2010
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700096&cid=RSSfeed_DR_News

CSO Magazine
Code Security: SAFECode report highlights best practices
By Bill Brenner
June 14, 2010
http://www.csoonline.com/article/596686/code-security-safecode-report-highlights-best-practices

SC Magazine
SAFECode releases software integrity guidance
By Dan Kaplan
June 14, 2010
http://www.scmagazineus.com/safecode-releases-software-integrity-guidance/article/172477/

ComputerWeekly.com
Software Producers Work Together to Turn the Tide on Cybercrime
June 9, 2010
http://www.computerweekly.com/Articles/2010/06/09/241506/Software-producers-work-together-to-turn-the-tide-on.htm

InformationWeek
Securing the Cyber Supply Chain
November 7, 2009
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221600499

NetworkWorld
Cybersecurity Supply Chain Management
October 28, 2009
http://www.networkworld.com/community/node/46844

HELP NET SECURITY
Adobe Joins SAFECode
September 29, 2009
http://www.net-security.org/secworld.php?id=8214

VNU/IT Week (UK)
Industry group tackles software supply chain attacks
July 21, 2009
http://www.v3.co.uk/v3/news/2246464/safecode-moves-reduce-supply

Government Computer News
SAFECode framework addresses software supply chain integrity
July 21, 2009
http://gcn.com/articles/2009/07/21/safecode-framework-software-suppy-chain-integrity.aspx

SC Magazine
Industry group releases software integrity framework
July 21, 2009
http://www.scmagazineus.com/Industry-group-releases-software-integrity-framework/article/140348/

IT Business Edge Blog
Group Addresses Software Supply Chain Attacks
July 22, 2009
http://www.itbusinessedge.com/cm/community/news/sec/blog/group-addresses-software-supply-chain-attacks/?cs=34317

The Security Development Lifecycle Blog
Working with SAFECode to Help Secure the Software Supply Chain
July 22, 2009
http://blogs.msdn.com/sdl/default.aspx

RSA Speaking of Security Blog
Securing the Software Supply Chain – Industry Releases Framework for Addressing Challenges
July 27, 2009
http://www.rsa.com/blog/blog_entry.aspx?id=1497

RSA Conference 365
Podcast: The Software Supply Chain and SAFECode
July 27, 2009
https://365.rsaconference.com/blogs/podcast-series-policy-and-government/2009/07/24/podcast-the-software-supply-chain-and-safecode

Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them
Agreement Will Change How Organizations Buy Software.
January 12, 2009
http://www.sans.org/top25errors/?utm_source=web&utm_medium=text-ad&utm_content=Announcement_Bar_20090111&utm_campaign=Top25&ref=37029

SearchSoftwareQuality.com
Secure software development practices 'not rocket science'
Dec. 3, 2008
http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html

ComputerWeekly.com
Industry experts to advise on software assurance
Oct. 29, 2008
http://www.computerweekly.com/Articles/2008/10/29/232959/industry-experts-to-advise-on-software-assurance.htm

InfoWorld
Martin Heller’s Strategic Developer Blog
Oct. 8, 2008
http://weblog.infoworld.com/stratdev/archives/2008/10/new_report_outl.html

SD Times
SAFECode Guide Advises Developers on Secure Practices
Oct.8, 2008
http://www.sdtimes.com/SAFECODE_GUIDE_ADVISES_DEVELOPERS_ON_SECURE_PRACTICES/About_SECURITY_and_SAFECODE/32955

Dr. Dobb’s Journal
SafeCode Releases Guidelines for Secure Code
Oct. 8, 2008
http://www.ddj.com/security/210800440

TMCNet
New Paper Studies Development Practices that Improve Software Security
Oct. 8, 2008
http://sip-trunking.tmcnet.com/topics/security/articles/42233-new-paper-studies-development-practices-that-improve-software.htm

SC Magazine UK Edition
May, 2008
http://www.scmagazine.com/uk/news/article/804392/software-safe-design/
Software: Safe by design
A new industry alliance promises to pave the way for more secure software. Is SAFECode what we've been waiting for?

Government Computer News
Oct. 23, 2007
http://www.gcn.com/online/vol1_no1/45286-1.html
IT industry creates secure coding advocacy group

vnunet.com
Oct. 23, 2007
http://www.vnunet.com/itweek/news/2201841/industry-launches-initiative
Tech industry launches initiative to boost software security
A major new industry initiative could ensure the quality and security of software

SearchSecurity.com
Oct. 23, 2007
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1278401,00.html
Tech vendors team up for secure software development

Dark Reading
Oct. 23, 2007
http://www.darkreading.com/document.asp?doc_id=137004&WT.svl=wire_1
Major Vendors Form SAFECode

eWEEK.com
Oct. 24, 2007
http://www.eweek.com/article2/0,1895,2206100,00.asp
Tech Foes Join Forces for Secure Code

Computerworld (UK)
Oct. 24, 2007
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5813
RSA 2007: Software firms to share security best practice
SAFECode is first industry-led shared security effort

FederalNewsRadio -- Daily Debrief with Amy Morris
Oct. 25, 2007
http://www.federalnewsradio.com/?sid=1278706&nid=364
(Radio Interview)
The "Justice League" of IT Security

Silicon.com (UK)
Oct. 24, 2007
http://software.silicon.com/security/0,39024655,39168921,00.htm
Tech giants team up for secure software

Press Release -- SAFECode Launches Software Security Training Program Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
stacy at safecode.org
781-876-8833

FOR IMMEDIATE RELEASE

SAFECode Launches Software Security Training Program

New Program Provides Free Online Security Engineering Courses Based on Internal Training Materials Used by SAFECode Members

Program will Help Address Gaps in Security Engineering Awareness and Education

San Francisco – Security Development Conference – May 14, 2013 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced the launch of a new community resource for software security training and released its first set of free online security engineering training courses. The program aims to help address gaps in security engineering knowledge among the software engineering workforce, a key challenge facing organizations working to improve software security.

Security engineering training by SAFECode is a new online community resource offering free security training courses delivered via on-demand webcasts. Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. SAFECode intends to add additional courses and resources to the site, including training program implementation advice based on the real-world experiences of SAFECode members, with the goal of creating an accessible and practical industry resource to support and promote software security training.

The collective experience of SAFECode’s member companies has shown that software security is most successful when it is treated as a process that reflects an individual company’s culture and unique development needs. Supporting this process through software security training is essential. In fact, an analysis of software security programs of SAFECode members revealed that each successful effort included internally developed security engineering training directed at those responsible for the development of the software they produce, including product managers, project managers, architects/designers, developers, and testers. Building on this observation, SAFECode’s new training program is designed to support the training framework outlined in its earlier paper, Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development.

“Ensuring that everyone touching the product development lifecycle has the knowledge they need to support an organization’s software security process is a fundamental challenge for any organization committed to software security success. While SAFECode’s analysis has shown that security training is most effective when aligned to an organization’s unique culture and security development process, we recognize that not every organization has the resources required to develop custom training,” said Howard A. Schmidt, Executive Director of SAFECode. “This seemed an obvious area where SAFECode members could use their internal resources to make a positive industry impact. By providing free training courses in a modular fashion, we hope other organizations can pick and choose the ones most relevant to their needs to either supplement an existing program or build the foundation for a new one.”

The initial set of courses released today covers introductory level topics and are based on training materials donated to SAFECode by Adobe after successful use in its software security program. A team of technical contributors from the SAFECode member companies reviewed and supplemented the course materials to ensure broad applicability across diverse development environments. Additional courses are already in the review process and will be added to the site on an ongoing basis. It is SAFECode’s goal to create a diverse catalog of security engineering training courses for all expertise levels as a community resource. In that spirit, comments on the course materials are encouraged so that the program and its materials can be evolved over time to best meet the needs of the community it aims to serve.

“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs,” said Schmidt. “While not a replacement for formal security engineering education at the college and university level, nor a one-sized fits all curriculum, SAFECode hopes that this new program is a step forward in addressing that knowledge gap and promoting the broad application of secure development practices.”

Visit https://training.safecode.org today to learn more about the program and participate in its free courses. To learn more about SAFECode and SAFECode membership, as well as additional training benefits available to SAFECode members, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

###

Press Release -- CA Technologies Joins SAFECode Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
781-876-8833
stacy at safecode.org

FOR IMMEDIATE RELEASE

CA Technologies Joins SAFECode

Global Provider of Information Technology Management Solutions
Becomes Newest Member of Industry-led Software Security Effort

Wakefield, Mass. – May 1, 2013 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced CA Technologies as its newest member. With membership, CA Technologies joins a group of committed contributors and technology industry leaders including Adobe Systems Incorporated, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens and Symantec Corp.

SAFECode brings together technology industry experts with real-world experience in managing complex global processes for software development to foster a trusted exchange of insights on software security; encourage broad industry adoption of proven software security practices; and drive clarity into vendor software assurance practices to empower customers to better manage risk.

“As a provider of IT management solutions that play an essential role in business operations for customers around the world, CA Technologies has a deep committment to software assurance and an innovative software security program,” said Howard Schmidt, executive director, SAFECode. “CA Technologies’ expertise in reducing risk across complex IT environments brings another level of knowledge and insight to our efforts at SAFECode.”

Sanjiv Ranjan, Vice President and Chief Information Security Officer for CA Technologies, will join SAFECode's Board of Directors and play an active role in the leadership of the association and its projects. As a new member, CA Technologies will contribute to SAFECode’s ongoing efforts to identify, share and promote security assurance best practices based on the lessons learned from real-world implementations.

“Software security has long been a priority at CA Technologies and we believe that by sharing lessons learned from our processes and programs through SAFECode, we can have a positive impact on the security of the broader IT ecosystem,” said Ranjan. “We look forward to contributing to SAFECode’s efforts to advance and promote secure software development methods.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

###

Product and service names mentioned herein are the trademarks of their respective owners.

Press Release -- SAFECode Names Howard Schmidt Executive Director Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 781-876-8833
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Names Howard Schmidt Executive Director

Former White House Cybersecurity Advisor Brings More than 40 Years of International Security Expertise to Leadership of Software Security Industry Group

San Francisco (RSA Conference) – February 25, 2013 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced it has named former White House cybersecurity advisor Howard A. Schmidt as its Executive Director.

Schmidt brings to SAFECode more than 40 years of information security experience, spanning defense, law enforcement, and corporate security. Most recently, Schmidt served as Special Assistant to the President and the Cybersecurity Coordinator for the U.S. government from 2009 to 2012. In this role, he was responsible for coordinating interagency cybersecurity policy development and implementation, and for coordinating engagement with federal, state, local, international and private sector cybersecurity partners.

“SAFECode has always been focused on a technical mission – identifying and promoting the most effective methods for increasing trust in commercial technology products and services. However, we can’t do this work in a bubble,“ said Steve Lipner, Chairman of the SAFECode Board of Directors and Partner Director of Program Management, Trustworthy Computing Security for Microsoft Corporation. “We must work together with customers and governments to foster a dialogue on software assurance, and ensure that our technical efforts have the most positive impact possible on the security challenges we all face. Howard’s unmatched experience in bringing technical experts together with defense, law enforcement and business leaders will help SAFECode to not only execute its technical mission, but also increase our global reach.”

Schmidt has had significant experience leading international security associations and forums throughout his career. He has served as President of both the Information Security Forum (ISF) and Information Systems Security Association (ISSA). Schmidt also was the co-founder and first president of the Information Technology Information Sharing and Analysis Center (IT-ISAC). He was the Vice-Chair of, and Security Strategist for, the Board of Directors for (ISC)2. He is a former executive board member of the International Organization of Computer Evidence, and served as the Co-chairman of the Federal Computer Investigations Committee.

“With more headlines everyday, cybersecurity has caught the attention of business leaders and governments worldwide. Though software assurance is rarely the subject of those stories, there are experts in product security doing important work to reduce vulnerabilities in our technology infrastructure and improve its resistance to attack,” said Howard Schmidt, executive director of SAFECode. “SAFECode brings together many of our most experienced software security professionals in a unique global collaboration that can have a real impact on the security of our technology infrastructure. As its Executive Director, I look forward to working with the members to advance and promote the practice of software assurance.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- Intel^® Joins SAFECode -- Download Press Release as pdf

FOR IMMEDIATE RELEASE

Intel^® Joins SAFECode

World Leader in Computing Innovation Latest Member to Commit to Industry-led Software Security Effort

Wakefield, Mass. – October 29, 2012 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced Intel® Corporation as its newest member. With membership, Intel joins a group of committed contributors and software industry leaders including Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens and Symantec Corp.

SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. In the first five years, the Forum has worked to aggressively advance an agenda that has measurably improved software security practices worldwide. Most recently, the Forum launched its Software Security Guidance for Agile Practitioners.

“The rapid advancement of threats has driven security requirements across – and more deeply within – systems than ever before,” said Stacy Simpson, policy and communications director, SAFECode. “Intel's innovations and strength in embedding security at the foundation of computing devices brings another level of expertise and perspective to our efforts.”

Jeffrey H. Cohen, Head of Product Security Assurance for Intel, will join SAFECode's Board of Directors and play an active role in the leadership of the association. As a new member, Intel will contribute to SAFECode’s ongoing efforts to identify, share and promote security assurance best practices based on the lessons learned from real-world implementations – and will take an active role in current SAFECode projects that address secure development methods and training.

Membership in SAFECode is open to commercial technology providers with significant global business activity in hardware, software and/or services and that have demonstrated a commitment, and dedicated resources, to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Releases Software Security Guidance for Agile Practitioners --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 781-876-8833
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Software Security Guidance for Agile Practitioners

New Paper Presents Security Flaws and Secure Development Practices in an Actionable Format for Agile Software Development

Wakefield, Ma. - July 17, 2012 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Practical Security Stories and Security Tasks for Agile Development Environments.” This new paper provides practical software security guidance to Agile practitioners in the form of security-focused stories and security tasks they can easily integrate into their Agile-based development environments. The paper is the outcome of a collaboration of SAFECode members working to simplify the process for addressing security assurance tasks as part of an Agile development methodology.

“A number of SAFECode members recognized the natural tension between the dynamic nature of Agile development methodologies and more formalized processes for secure software development. After working on various ways we could better insert the most important elements of the security process into a standard Agile development process, we came up with this relatively simple approach of presenting security-focused stories with associated security tasks, alongside operational security tasks and those that most often require the support of a security expert,” said Vishal Asthana, a lead author of the paper and Senior Principle Software Engineer, Product Security Group, Symantec Corp. “A small group of us have been piloting the approach within our own teams and have seen enough early value that we felt it would be beneficial to share the approach with the broader community.”

In an Agile development process, necessary changes are incorporated in a dynamic fashion. Cycles/sprints are very short, usually no more than two to four weeks, making it extremely difficult for software development teams to comply with long lists of security assurance tasks. This paper addresses this challenge by translating secure development practices into a language and format that Agile practitioners can more readily act upon as part of a standard Agile methodology. To further simplify things, the recommended security tasks are broken down by roles, including architects, developers and testers, and separately lists the tasks that most often require specialized skills from security experts.

As with SAFECode’s other work, both the security flaws and secure development practices outlined within the paper are derived from an analysis of the real-world experiences of SAFECode members. Further, in an effort to provide additional information for those interested in learning more about either the security weakness or recommended security practices, SAFECode has included Common Weakness Enumeration (CWE) references. The security-focused stories reflect the practices detailed in SAFECode’s paper, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today,” in a form that is consumable by Agile practitioners.

“SAFECode has dedicated significant resources to evaluating and improving the secure development process based on the experiences of its members in real-world implementations,” said Stacy Simpson, policy and communications director, SAFECode. “Though presented in a list format, this paper is an extension of our commitment to our process-based approach. Our goal is to present key elements of that process in a way that can be more readily acted upon by Agile practitioners. We hope that this paper will be useful to organizations that use, or plan to use, Agile methods and wish to incorporate security or enhance existing security tasks in their development process.”

“Practical Security Stories and Security Tasks for Agile Development Environments” is available for free download at www.safecode.org.

SAFECode encourages comments and contributions on this paper as well as its other publications. To contribute, please contact feedback at safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp.

Membership in SAFECode is open to commercial technology providers with significant global business activity in hardware, software and/or services and that have demonstrated a commitment and dedicated resources to software assurance.

For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Adds Siemens as Newest Member -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703 812 9199
stacy.simpson at goodharbor.net

FOR IMMEDIATE RELEASE

SAFECode Adds Siemens as Newest Member

Global Powerhouse in Electronics and Electric Engineering Joins Industry-led Software Security Effort

Arlington, Va. - Nov. 8, 2011 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced Siemens as its newest member. SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Siemens joins software industry leaders Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. in SAFECode membership.

“As one of the world’s largest and most diverse corporations, Siemens brings unique expertise and perspective to SAFECode’s efforts,” said Paul Kurtz, executive director of SAFECode. “Its experience delivering technology to the energy, healthcare and manufacturing sectors will greatly strengthen our ability to promote software security practices across a diverse ecosystem. We are looking forward to working with Siemens to build upon the positive work it is doing on software security.”

Dr. Frances Paulisch, head of the company-wide Software Initiative at Siemens, will join SAFECode’s Board of Directors and play an active role in the leadership of the association. In addition, as a SAFECode member, Siemens will join with other global technology providers in a trusted exchange on software assurance challenges and best practices. It will contribute to SAFECode’s ongoing efforts to identify, share and promote software security best practices based on the lessons learned from real-world implementations. Siemens will take an active role in current SAFECode projects that address secure development methods and training.

“Siemens recognizes the importance of software security and applies security practices across our organization,” said Dr. Paulisch. “We are looking forward to working with the other SAFECode members to share the lessons we have learned, gain insight into new ways to advance our internal programs, and positively influence the state of software security.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

About Siemens
Siemens AG (Berlin and Munich) is a global powerhouse in electronics and electrical engineering, operating in the fields of industry, energy and healthcare as well as providing infrastructure solutions, primarily for cities and metropolitan areas. For over 160 years, Siemens has stood for technological excellence, innovation, quality, reliability and internationality. The company is the world’s largest provider of environmental technologies. More than one-third of its total revenue stems from green products and solutions. In fiscal 2010, which ended on September 30, 2010, revenue from continuing operations (excluding Osram and Siemens IT Solutions and Services) totaled €69 billion and net income from continuing operations €4.3 billion. At the end of September 2010, Siemens had around 336,000 employees worldwide on the basis of continuing operations. Further information is available on the Internet at: www.siemens.com.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Releases Updated Guidance on Secure Development Practices --
Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Updated Guidance on Secure Development Practices

Report Provides Foundational Set of Secure Development Practices Based on
an Analysis of the Real-World Actions of SAFECode Members

New Edition Outlines Methods to Help Managers Verify that Development Teams Followed Prescribed Security Practices

Arlington, Va. - February 8, 2011 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released the second edition of “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.” The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of fundamental secure development methods. The paper was jointly developed by SAFECode’s members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As with the original, this latest report from SAFECode is not meant to be a comprehensive guide to all possible secure development best practices. Rather it is meant to provide a foundational set of “practiced practices” that have been shown to be effective in improving software security in real-world implementations by SAFECode members even across diverse development environments.

“It has been more than two years since we released our first paper on secure development practices,” said Paul Kurtz, executive director of SAFECode. “In that time, the process of building secure software has continued to evolve and improve alongside innovations and advancements in the information and communications technology industry. The second edition of the paper aims to disseminate the new knowledge SAFECode has gathered, and provide new tools and improved guidance for those implementing the paper’s recommended practices.”

In addition to providing updated security practices that should be applied during the design, development and testing activities in the software development lifecycle, the new edition of the report aims to address an important challenge for those managing software security programs – the need to verify that the development teams followed prescribed security practices. For each listed practice, SAFECode has included verification methods and tools that can be used to help confirm whether a practice was applied. Further, SAFECode has included Common Weakness Enumeration (CWE) references for each practice to provide a more detailed illustration of the security issues these practices aim to resolve.

“Software vendors have both a responsibility and a business incentive to ensure software security,” said Kurtz. “SAFECode encourages software developers to not only consider, tailor and adopt the practices outlined in this paper, but to also continue to contribute to a broad industry dialogue on advancing secure software development.”

SAFECode will continue to review and update the practices in this paper based on the experiences of its members and the feedback from the industry and other stakeholders. To this end, SAFECode encourages comments and contributions, especially to the newly added work on verification methods. To contribute, please visit www.safecode.org

The second edition of the “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today” is available for free download at http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode to Host 'Supplier Perspectives on Supply Chain Security' Panel at the 2010 CIP Congress -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703-812-9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode to Host 'Supplier Perspectives on Supply Chain Security' Panel at the 2010 CIP Congress

Arlington, Va. - November 29, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, will be hosting a 'Supplier Perspectives on Supply Chain Security' panel on Wednesday, Dec. 1, 2010 from 4:30 p.m. to 5:30 p.m. at the 2010 CIP Congress, Gaylord National Resort Hotel and Conference Center, Washington, DC.

Designed to foster dialogue between information technology suppliers and critical infrastructure owners/operators on today's most pressing supply chain security issues, the session will provide an opportunity for discussion with conference attendees about needed next steps to improve supply chain security in a world of growing threats to critical infrastructures. SAFECode panelists will also offer insight into supplier best practices in software assurance and supply chain integrity based on their collective experience.

"As one of the year's most productive gatherings of security professionals in the critical infrastructure industry, the CIP Congress presents an excellent opportunity for SAFECode to engage in a dialogue with this important user community," said Stacy Simpson, policy and communications director for SAFECode. "Software assurance plays a key role in ensuring resiliency and SAFECode looks forward to an open discussion on how suppliers and users can work together to continue to improve confidence in the software relied upon by critical infrastructure owners and operators."

Participating SAFECode members, who represent the leadership of product security initiatives in some of the world’s largest IT companies, include:

• Robert Dix - Vice President, Government Affairs & Critical Infrastructure Protection, Juniper Networks, Inc.
• Steven B. Lipner - Senior Director of Security Engineering Strategy, Trustworthy Computing Security, Microsoft Corp.
• Gary Phillips - Senior Director, Technology Assurance and Standards Research, Symantec Corp.
• Dan Reddy - Consulting Product Manager, Product Security Office, EMC Corporation

CIP Congress attendees are also invited to join SAFECode for a lunch discussion Wednesday, Dec. 1 on process transparency for software assurance.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- Brainstorm 2020 A Vision for Software Security -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703-812-9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

Announcing ‘Brainstorm 2020: A Vision for Software Security’ at Black Hat USA 2010

SAFECode Hosting Community Brainstorm to Gather Forward-Thinking Ideas on How to Improve Software Security

Arlington, Va. - July 8, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, will be hosting ‘Brainstorm 2020: A Vision for Software Security’ on Tuesday, July 27, 2010 from 5:00 p.m. to 6:30 p.m. at the Black Hat USA 2010 conference, Caesars Palace, Las Vegas. This open mic, community-style brainstorm is designed to cultivate a dialogue that will help define a shared vision for software security and identify new, forward-looking approaches to achieving that vision.

SAFECode invites those interested in advancing software security to come to the event and share your thoughts on two key questions:

• What should our vision be for software security in 2020?
• What are your ideas for leap-ahead approaches to advance software security over the next ten years?

Members of SAFECode, who represent the leadership of product security initiatives in some of the world’s largest IT companies, will be on hand to join in the brainstorm and to gather new ideas for future work. Participating SAFECode members include:

• Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation
• Brad Arkin, Director of Product Security and Privacy, Adobe Systems Incorporated
• Gary Phillips, Senior Director, Standard Tools and Technologies, Symantec Corporation
• Janne Uusilehto, Head of Product Security, Nokia

For more information on the event, please visit http://www.safecode.org/register.php. There is no charge to attend, but registration is required and space is limited, so please register today. If you are unable to attend the event, but would like to share an idea, you may submit your idea online at http://www.safecode.org/register.php.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- Software Integrity Controls -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703 812 9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases First Industry-Developed Guidance on Software Integrity Controls

New Report Outlines Assurance-Based Approach to Securing the Software Supply Chain

Arlington, Va. - June 14, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain.” The new report provides actionable recommendations for minimizing the risk of vulnerabilities being inserted into a software product during its sourcing, development and distribution. The paper was jointly developed by SAFECode’s members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp., and is based upon an analysis of the real-world actions these companies take to secure their supply chain processes.

“Software assurance is most commonly discussed in terms of security engineering, or in other words, building security into the software as it is being developed. However, another important aspect of assurance is securing the supply chain processes for software sourcing, development and distribution to protect the integrity of delivered software,” said Paul Kurtz, executive director of SAFECode. “SAFECode’s latest paper addresses this emerging area of assurance and represents the first industry-led effort to identify and analyze the software integrity controls used by software vendors to protect software from the insertion of vulnerabilities as it moves along the global supply chain.”

The software integrity controls identified in the paper are used by major software vendors to address the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain. The controls aim to preserve the quality of securely developed code by securing the processes used to source, develop, deliver and sustain software. The controls identified in the report cover issues ranging from contractual relationships with suppliers, to securing source code repositories, to helping customers confirm the software they receive is not counterfeit. The work builds upon SAFECode’s previously released “Software Supply Chain Integrity Framework,” which defines a taxonomy for describing supply chain security in the context of software assurance.

“By basing our analysis on the actual practices and controls being used by SAFECode members today, we were able to identify software integrity controls that are not only effective, but also practical, repeatable and verifiable,” said Gunter Bitz, Head of Product Security Governance at SAP and a key contributor to the report. “We believe that broad industry adoption of software integrity controls can greatly improve customer confidence in IT systems. To help achieve this goal, SAFECode encourages other producers and distributors of software to tailor and adopt these controls into their own supply chain processes, as well as continue future study and analysis on additional methods to improve software integrity.” The paper also identifies areas that SAFECode believes deserve future industry-led collaboration and study. The ideas proposed include improved supplier management and communications along the supply chain, additional research on software testing, and the development of effective strategies for software assurance measurement. To continue the discussion, SAFECode encourages public comment on this paper and will consider feedback collected for future projects. To comment, please visit www.safecode.org.

“Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain” is available for free download at www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Adds Adobe -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Adds Adobe as Newest Member

Global Technology Leader Joins Industry-led Software Security and Assurance Effort

Arlington, Va. - Sept 29, 2009 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced Adobe Systems Incorporated as its newest member. SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Adobe joins software industry leaders EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. in SAFECode membership.

“As one of the world’s largest and most diversified software companies, Adobe brings invaluable expertise to SAFECode,” said Paul Kurtz, Executive Director of SAFECode. “We are looking forward to working with Adobe to build upon the positive work it is doing on software security. This collaboration will strengthen our ability to promote the adoption of practical software assurance methods across an increasingly diverse cyber ecosystem.”

As a SAFECode member, Adobe will join with subject matter experts to identify and share proven best practices for software assurance, promote broader adoption of software assurance best practices into the cyber ecosystem, and work with businesses, governments and critical infrastructure providers to leverage these practices to manage enterprise risks. Adobe will take an active role in current SAFECode projects that address secure development methods, software integrity in the global supply chain, and the measurability of software security.

“Adobe recognizes the importance of software assurance and applies security best practices when building products to deliver more secure, trusted and engaging user experiences,” said Brad Arkin, Director, Product Security & Privacy, Adobe and newest SAFECode Board Member. “We look forward to collaborating with SAFECode’s members to further advance software security.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Releases Framework for Software Supply Chain Integrity --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 812 9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Framework for Software Supply Chain Integrity

New Paper Defines Risks and Responsibilities for Securing Software in the Global Supply Chain

Arlington, Va. - July 21, 2009 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.” The paper outlines the first industry-driven framework for analyzing and describing the efforts of software suppliers to mitigate the potential that software could be intentionally compromised during its sourcing, development or distribution. The paper was jointly developed by SAFECode’s members, which include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As the software industry has become increasingly globalized, a concern has risen over the possibility that an IT solution could be compromised by the intentional insertion of malicious code into the solution’s software during its development or maintenance, which is often referred to as a supply chain attack. Though experts have concluded that the supply chain is not the most likely attack vector, vendors are taking action to mitigate supply chain risk by applying software integrity practices - the collection of processes and controls that enable a vendor to deliver customers a product that is uncompromised, thereby containing only what the vendor intends.

“While SAFECode’s members have individually implemented software integrity practices, this is the first time industry has come together to establish a common framework for ensuring the integrity of software through the global supply chain,” said Paul Kurtz, executive director of SAFECode. “This framework will serve as the foundation for subsequent work aimed at identifying and analyzing software integrity best practices and represents a critical step forward in the industry’s efforts to advance software assurance.”

Software assurance is most frequently discussed in the context of ensuring that code itself is more secure through the application of secure software development practices. However, while there has been a growing and appropriate focus on eliminating software vulnerabilities through secure development practices, this represents only one element of software assurance. The processes for sourcing, creating and delivering software must also contain integrity controls to enhance confidence that the software functions as the supplier intended.

Within SAFECode’s software supply chain integrity framework, software supply chain integrity controls address the access, storage and handling of development assets throughout the key links in the software supply chain – supplier sourcing, product development and testing, and product delivery. The controls are designed to be independent of geography, accommodate diverse sources of software components, and extend from a vendor’s suppliers to its customers. Software supply chain integrity practices and controls derive from established security and integrity principles, including:

• Chain of Custody: The confidence that each change and handoff made during the source code’s lifetime is authorized, transparent and verifiable.
• Least Privilege Access: Personnel can access critical data with only the privileges needed to do their jobs.
• Separation of Duties: Personnel cannot unilaterally change data, nor unilaterally control the development process.
• Tamper Resistance and Evidence: Attempts to tamper are obstructed, and when they occur they are evident and reversible.
• Persistent Protection: Critical data is protected in ways that remain effective even if removed from the development location.
• Compliance Management: The success of the protections can be continually and independently confirmed.
• Code Testing and Verification: Methods for code inspection are applied and suspicious code is detected.

SAFECode will build upon this framework for software supply chain integrity with a focused effort to identify and analyze the most effective software integrity controls and practices that its member companies use to help ensure the integrity of their software. It will publish its findings later this year to help extend these practices across the industry and provide customers with additional insight into how to view and evaluate the processes by which software integrity is achieved.

“The complexities and interdependencies of the IT ecosystem require software suppliers to not only be able to demonstrate the security of products they produce, but also evaluate the integrity of products they acquire and use. For this reason, every software supplier has a significant stake in the identification, communication and evaluation of best practices for ensuring software integrity,” said Kurtz. “By promoting the adoption of well-defined software integrity practices across the industry, these efforts should ultimately lead to increased customer confidence in the security of IT solutions.”

A full copy of “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain” is available for free download at http://www.safecode.org/publications/SAFECode_Supply_Chain0709.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Seeks Public Comment on Guide to Secure Development Practices --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 202 262 7057
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Seeks Public Comment on Guide to Secure Development Practices

Arlington, Va. and San Francisco (RSA Conference) – April 20, 2009 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today issued a call for comments on its “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."

Originally released in October 2008, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. Due to the positive response to the paper’s publication, as well as the rapidly evolving information security environment, SAFECode will be releasing an updated version in late 2009. SAFECode is offering experts outside of its membership an opportunity to provide input into the paper’s next version in its continued effort to make the recommendations as useful and relevant as possible.

“SAFECode’s paper on development practices was based on a detailed analysis of the real world experience of its members. Opening the paper to contributions by experts outside of our membership will not only expand our frame of reference, but also enable us to include feedback from those who have worked to put the original paper’s practices into action,” said Paul Kurtz, Executive Director of SAFECode.

The brief and highly actionable paper describes each identified security practice across the software development lifecycle – Requirements, Design, Programming, Testing, Code Handling and Documentation – and offers implementation advice based on the experiences of SAFECode members.

To submit your comments, please visit www.safecode.org. SAFECode will be accepting comments until July 31, 2009.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Send Comments on Development Practices

Press Release -- SAFECode Establishes International Board of Advisors --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Establishes International Board of Advisors

Diverse Group of Information Security Experts will Help Guide SAFECode’s Work to Improve Software Security

Arlington, Va. - Oct. 28, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has established an International Board of Advisors to help guide its efforts to advance software assurance. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

SAFECode’s International Board of Advisors is comprised of information technology experts representing government agencies, private-sector organizations and academic institutions from around the world. Its members provide third-party perspective and expertise to advise SAFECode on its efforts to advance secure development practices and promote software assurance

Members of the SAFECode International Board of Advisors include:

• William C. Barker, Chief Cyber Security Advisor, National Institute of Standards and Technology
• Matt Bishop, Professor, Department of Computer Science, University of California, Davis
• Dr. Paul Dorey, Director, CSO Confidential & Chairman of the Institute of Information Security Professionals
• Claudia Eckert, Professor, Fraunhofer Institute for Secure Information Technology
• Zoltán Hornák, Budapest University of Technology and Economics, SEARCH Security Evaluation Analysis and Research Laboratory
• Alan Paller, Director of Research, SANS Institute
• Prof. Dr. Joachim Posegga, Chair of IT-Security, Institute for IT Security and Security Law (ISL), University of Passau
• Juha Röning, Professor, University of Oulu (Finland)
• Reijo Savola, Network and Information Security Research Coordinator, VTT Technical Research Centre of Finland
• Dan S. Wallach, Associate Professor, Department of Computer Science, Rice University (Houston, Texas)

"SAFECode has brought together this group of renowned information security experts to help guide and inform our efforts to improve the security and integrity of software,” said Paul Kurtz, executive director of SAFECode. “We share a common belief that software assurance plays a vital role in strengthening the security of our information infrastructure and we are thrilled to have the opportunity to leverage the diverse expertise and insight of this board of advisors as we work to advance secure software development."

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Adds Nokia -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Adds Nokia as Newest Member

Global leader in mobile technology joins industry-led effort to advance software assurance

Arlington, Va. - March 31, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has added Nokia as its newest member. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

"As the global leader in mobile technology, Nokia brings invaluable expertise to SAFECode's efforts," said Paul Kurtz, executive director of SAFECode. "Software underpins the communications and mobile computing infrastructures we've come to rely on in so many ways. SAFECode is thrilled to have the opportunity to work with Nokia to build on the positive work the company has already done to promote assurance best practices across the mobile technology ecosystem."

As a SAFECode member, Nokia will join with subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

"The continuous development of secure technology has always been core to Nokia's commitment to its customers. Participation in SAFECode offers a valuable opportunity to extend our corporate dedication to security and positively influence the security of the communications infrastructure to the benefit of all technology users," said Janne Uusilehto, Head of Nokia Product Security. "We look forward to working with SAFECode's members to promote secure software development practices."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

About Nokia
Nokia is the world leader in mobility, driving the transformation and growth of the converging Internet and communications industries. We make a wide range of mobile devices with services and software that enable people to experience music, navigation, video, television, imaging, games, business mobility and more. Developing and growing our offering of consumer Internet services, as well as our enterprise solutions and software, is a key area of focus. We also provide equipment, solutions and services for communications networks through Nokia Siemens Networks.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Formed -- Download Press Release as pdf

Leading Technology Companies Form Industry Group to Advance Software Assurance

SAFECode to promote best practices for the delivery of more secure and reliable software, hardware and services

Paul Kurtz named executive director

Arlington, VA. and London (RSA Conference Europe) -- Oct. 23, 2007 -- A group of leading information and communications technology companies today announced the formation of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information technology (IT) products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG, and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

As the global dependence on information and communications technology has grown, users have become increasingly concerned over the integrity, security and reliability of software, hardware and services, especially those in the government, critical infrastructure and enterprise sectors. The need to reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity has never been more important than in today's increasingly complex and dynamic threat environment. To help achieve these objectives and strengthen the security of the IT ecosystem, SAFECode unites key stakeholders in an effort to advance software assurance by developing and promoting a set of methods for secure product development and integrity controls that protect software, hardware and services across the global supply chain.

While individual companies have implemented effective methods for developing and delivering more secure and reliable software, hardware and services, there has been no coordinated, industry-led effort to build upon this positive work and promote best practices to advance software assurance more broadly. SAFECode fills this critical gap by bringing together subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

• Increase understanding of the secure development methods and integrity controls used by vendors
• Promote proven software assurance practices among vendors and customers to foster a more trusted ecosystem
• Identify opportunities to leverage vendor software assurance practices to better manage enterprise risks
• Foster essential university curriculum changes needed to support the cyber ecosystem
• Catalyze action on key research and development initiatives in the area of software assurance

To help SAFECode achieve its objectives, the organization has named Paul Kurtz, a recognized cyber security expert, as its executive director. Currently a partner at Good Harbor Consulting LLC, Kurtz most recently served as the founding executive director of the Cyber Security Industry Alliance (CSIA). Prior to CSIA, he served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush.

"Software assurance is a critical element of IT ecosystem security. By building on the positive work already done in this area by individual firms and encouraging broader adoption of proven best practices for the development and delivery of more secure technology products and services, SAFECode has a unique opportunity to significantly impact the overall security and reliability of the cyber infrastructure," said Paul Kurtz, executive director of SAFECode. "With the support of its founding members, SAFECode will work to meet the growing demand for information and dialogue on software assurance and increase the trust in IT and communications products and services."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in IT technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. In addition, SAFECode will be assembling an advisory of government leaders and critical infrastructure operators from around the globe to better understand and respond to key software assurance challenges.

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. For more information, please visit www.safecode.org.

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

CSO Magazine Code Security: White House lessons, part 2
June 14, 2010
Paul Kurtz talks with CSO senior editor, Bill Brenner, on software integrity controls paper
http://www.csoonline.com/podcast/596691/code-security-white-house-lessons-part-2

CSO Magazine
Code Security: Lessons from the White House
June 10, 2010
Paul Kurtz discusses code security with CSO senior editor, Bill Brenner
http://www.csoonline.com/podcast/596515/code-security-lessons-from-the-white-house

Federal News Radio
SafeCode: 'The Supply Chain Integrity Framework'
July 30, 2009
http://www.federalnewsradio.com/index.php?nid=56&sid=1727458

Federal Security Radio
May 21, 2009
Paul Kurtz discusses software assurance with Tom Temin on Federal Security Spotlight.
http://www.federalnewsradio.com/index.php?nid=56&sid=1678843

RSA Conference Europe 2008
Oct 26, 2008
Paul Kurtz discusses the issues surrounding product security.
https://365.rsaconference.com/blogs/podcast_series_rsa_conference_europe_2008/2008/10/26/session-preview-with-paul-kurtz
Podcast

WAMU NPR: Cyber Threats
Jun. 25, 2008
Diane Rehm talks with Paul Kurtz, Alan Paller, Stephen Spoonamore, and Congressman Jim Langevin about growing concerns over cyber attacks in the public and private sectors.
http://podcastdownload.npr.org/anon.npr-podcasts/podcast/305/510071/91879571/WAMU_91879571.mp3
51:20 Podcast

IT Week Podcast: RSA Conference Europe
Oct. 25, 2007
This week David Neal talks to Phil Muncaster about the latest news coming from the annual RSA Conference Europe event in London's ExCel.
MP3 (5.6 MB) - http://images.vnunet.com/v7_static/itw/podcasts/IT-Week-Podcast-25-October.mp3
Podcast