SEARCH    
SAFECode Driving Security and Integrity

Industry Events

ISSE Conference
Brussels, Belgium
October 14-15, 2014
http://isse.eu.com/

Media Contact

Shannon Todesca
CHEN PR
781-672-3137
safecode at chenpr.com

SAFECode In The News

Building Secure Cloud Apps: CSA, SAFECode Provide Guidance
eWEEK
By Sean Michael Kerner
December 13 2013
http://www.eweek.com/cloud/building-secure-cloud-apps-csa-safecode-provide-guidance.html/

Locking down cloud applications
GCN
By William Jackson
December 13 2013
http://gcn.com/blogs/cybereye/2013/12/safecode.aspx

Cyberthreats for 2014: Not just the usual suspects
GCN
By William Jackson
December 11, 2013
http://gcn.com/Articles/2013/12/11/cybersecurity-threats-2014.aspx?Page=1

CSA, SAFECode release guidelines for secure development in the cloud
FierceCIO
By David Wheldon
December 11, 2013
http://www.fiercecio.com/story/csa-safecode-release-guidelines-secure-development-cloud/2013-12-11#ixzz2nCnIfYdZ

Experts Offer Advice For Developing Secure Cloud Applications
Dark Reading
By Brian Prince
December 6, 2013
http://www.darkreading.com/applications/experts-offer-advice-for-developing-secu/240164509

CSA Congress 2013: CSA and SAFECode Issue Guidance for Developing Cloud Applications
Infosecurity Magazine
By Drew Amarosi
December, 5 2013
http://www.infosecurity-magazine.com/view/36016/csa-congress-2013-csa-and-safecode-issue-guidance-for-developing-cloud-applications/

Need to build secure software? Free help is online
GCN
By Bill Jackson
May 14, 2013
http://gcn.com/articles/2013/05/14/online-help-building-secure-software.aspx

Microsoft, IT Industry Push Software Security Standard
eWEEK
By Robert Lemos
May 14, 2013
**Also in TechWeek Europe
http://www.eweek.com/security/microsoft-it-industry-push-software-security-standard/

Adobe Shares Cybersecurity Lessons Learned the Hard Way
WSJ CIO Journal
By Rachel King
May 13, 2013
**Also in WSJ Risk & Compliance Journal
http://blogs.wsj.com/cio/2013/05/13/adobe-shares-cybersecurity-lessons-learned-the-hard-way/

SAFECode Launches Software Security Training Program For Enterprises
Dark Reading
By Tim Wilson
May 14, 2013
http://www.darkreading.com/management/safecode-launches-software-security-trai/240154808

Bank Internet Links Can Give Hackers Keys to Vaults
Ecommerce Times
By John P. Mello Jr.
May 13, 2013
http://www.ecommercetimes.com/story/78016.html

SAFECode Launches Free Software Security Training Courses
SecurityWeek
By Fahmida Y. Rashid
May 14, 2013
http://www.securityweek.com/safecode-launches-free-software-security-training-courses

Cracking The Code: Organization Teaches How To Make Software Safer
CRN
By Robert Westervelt
May 13, 2013
http://www.crn.com/news/security/240154688/cracking-the-code-organization-teaches-how-to-make-software-safer.htm

Developers need more training programs like SAFECode
VeraCode Blog
By Chris Wysopal
May 14, 2013
http://www.crn.com/news/security/240154688/cracking-the-code-organization-teaches-how-to-make-software-safer.htm

Software Security Training for All
EMC Product Security Blog
By Eric Baize
May 14, 2013
http://productsecurityblog.emc.com/2013/05/software-security-training-for-all/#more-298

Howard Schmidt Announces SAFECode secure software development training
InfoSecurity
By Staff
May 14, 2013
http://www.infosecurity-magazine.com/view/32404/howard-schmidt-announces-safecode-secure-software-development-training/

SAFECode offers free security training
ITWeb
By Kirsten Doyle
May 15, 2013
http://www.itweb.co.za/index.php?option=com_content&view=article&id=64063:SAFECode-offers-free-security-training

SAFECode publishes free secure code training modules
ComputerWeekly
By Warwick Ashford
May 15, 2013
http://www.computerweekly.com/news/2240184150/SAFECode-publishes-free-secure-code-training-modules

Security-focused stories: Implementation tips in Agile development environments
Agile Record Magazine
Vishal Asthana, Rohit Sethi
February 2013
http://www.agilerecord.com/agilerecord_13.pdf

Cyber forecast for 2013: 4 areas where the stakes are raised
Government Computer News
By Bill Jackson
December 21, 2012
http://gcn.com/Articles/2012/12/21/Cyber-forecast-2013-stakes-raised.aspx?Page=1

After Five Years, SAFECode Sees Software Security Progress, But Challenges Remain
Threatpost
The Kaspersky Lab Security News Service
By Dennis Fisher
October 23, 2012
http://threatpost.com/en_us/blogs/after-five-years-safecode-sees-software-security-progress-challenges-remain-102312

I Programmer
SAFECode Guidance for Agile Practitioners
By Alex Armstrong
July 30, 2012
http://www.i-programmer.info/news/99-professional/4558-safecode-guidance-for-agile-practitioners.html

SD Times
SAFECode guides agile developers in security
By Suzanne Kattau
July 23, 2012
http://sdt.bz/36820#ixzz21YKGm6e6

Help Net Security
Software security guidance for Agile practitioners
July 20, 2012
http://www.net-security.org/secworld.php?id=13281

FierceCIO
Vendor coalition issues guidelines for safer code
By Caron Carlson
July 19, 2012
http://www.fiercecio.com/story/vendor-coalition-issues-guidelines-safer-code/2012-07-19

SecurityWeek
Industry Group Releases Security Guidelines for Agile Development
By Fahmida Y. Rashid
July 18, 2012
http://www.securityweek.com/industry-group-releases-security-guidelines-agile-development

Network World
Microsoft, Juniper, others in coding consortium issue guidelines for safer applications
By Tim Greene
July 18, 2012
http://www.networkworld.com/news/2012/071812-safecode-260989.html

Government Computer News
Fresh advice on building safer software
By Bill Jackson
February 8, 2011
http://gcn.com/Articles/2011/02/08/SAFECode-secure-software-development-guide.aspx?Page=1

Dark Reading
SAFECode Issues Best Practices For Writing Secure Code
By Kelly Jackson Higgins
February 8, 2011
http://www.darkreading.com/database-security/167901020/security/application-security/229204126/safecode-issues-best-practices-for-writing-secure-code.html

SC Magazine
SAFECode updates secure development guide
By Angela Moscaritolo
February 8, 2011
http://www.scmagazineus.com/safecode-updates-secure-development-guide/article/195902/

SC Magazine
Top of the heap: 2010's IT security luminaries
By SC Magazine Staff
December 1, 2010
http://www.scmagazineus.com/top-of-the-heap-2010s-it-security-luminaries/article/191400/

SD Times
From the Editors: Opening up about security
By SD Times Editorial Board
Aug 15, 2010
http://www.sdtimes.com/content/article.aspx?ArticleID=34557&page=1

SD Times
Black Hat conference fields suggestions for software security
By David Worthington
July 28, 2010
http://www.sdtimes.com/content/article.aspx?ArticleID=34518&page=1

SC Magazine
Supply subversion
By Angela Moscaritolo
July 1, 2010
http://www.scmagazineus.com/supply-subversion/article/172654/
Note: Registration is required

SD Times
SAFECode outlines path to complete code integrity
By Katie Serignese
June 28, 2010
http://www.sdtimes.com/SAFECODE_OUTLINES_PATH_TO_COMPLETE_CODE_INTEGRITY/By_Katie_Serignese/About_SAFECODE/34445

Dark Reading
Why Can't Johnny Develop Secure Software?
By Tim Wilson
June 16, 2010
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700320&cid=RSSfeed_DR_News

ThreatPost
New Study Sees Need for Better Software Integrity Controls
By Dennis Fisher
June 14, 2010
http://threatpost.com/en_us/blogs/new-study-sees-need-better-software-integrity-controls-061410?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

Government Computer News
Software supply chain security is target of industry group best practices
By Bill Jackson
June 14, 2010
http://gcn.com/articles/2010/06/14/safecode-supply-chain.aspx

Dark Reading
New Paper Outlines Potential Vulnerabilities In Software Supply Chain
By Tim Wilson
June 14, 2010
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700096&cid=RSSfeed_DR_News

CSO Magazine
Code Security: SAFECode report highlights best practices
By Bill Brenner
June 14, 2010
http://www.csoonline.com/article/596686/code-security-safecode-report-highlights-best-practices

SC Magazine
SAFECode releases software integrity guidance
By Dan Kaplan
June 14, 2010
http://www.scmagazineus.com/safecode-releases-software-integrity-guidance/article/172477/

ComputerWeekly.com
Software Producers Work Together to Turn the Tide on Cybercrime
June 9, 2010
http://www.computerweekly.com/Articles/2010/06/09/241506/Software-producers-work-together-to-turn-the-tide-on.htm

InformationWeek
Securing the Cyber Supply Chain
November 7, 2009
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221600499

NetworkWorld
Cybersecurity Supply Chain Management
October 28, 2009
http://www.networkworld.com/community/node/46844

HELP NET SECURITY
Adobe Joins SAFECode
September 29, 2009
http://www.net-security.org/secworld.php?id=8214

VNU/IT Week (UK)
Industry group tackles software supply chain attacks
July 21, 2009
http://www.v3.co.uk/v3/news/2246464/safecode-moves-reduce-supply

Government Computer News
SAFECode framework addresses software supply chain integrity
July 21, 2009
http://gcn.com/articles/2009/07/21/safecode-framework-software-suppy-chain-integrity.aspx

SC Magazine
Industry group releases software integrity framework
July 21, 2009
http://www.scmagazineus.com/Industry-group-releases-software-integrity-framework/article/140348/

IT Business Edge Blog
Group Addresses Software Supply Chain Attacks
July 22, 2009
http://www.itbusinessedge.com/cm/community/news/sec/blog/group-addresses-software-supply-chain-attacks/?cs=34317

The Security Development Lifecycle Blog
Working with SAFECode to Help Secure the Software Supply Chain
July 22, 2009
http://blogs.msdn.com/sdl/default.aspx

RSA Speaking of Security Blog
Securing the Software Supply Chain – Industry Releases Framework for Addressing Challenges
July 27, 2009
http://www.rsa.com/blog/blog_entry.aspx?id=1497

RSA Conference 365
Podcast: The Software Supply Chain and SAFECode
July 27, 2009
https://365.rsaconference.com/blogs/podcast-series-policy-and-government/2009/07/24/podcast-the-software-supply-chain-and-safecode

Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them
Agreement Will Change How Organizations Buy Software.
January 12, 2009
http://www.sans.org/top25errors/?utm_source=web&utm_medium=text-ad&utm_content=Announcement_Bar_20090111&utm_campaign=Top25&ref=37029

SearchSoftwareQuality.com
Secure software development practices 'not rocket science'
Dec. 3, 2008
http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html

ComputerWeekly.com
Industry experts to advise on software assurance
Oct. 29, 2008
http://www.computerweekly.com/Articles/2008/10/29/232959/industry-experts-to-advise-on-software-assurance.htm

InfoWorld
Martin Heller's Strategic Developer Blog
Oct. 8, 2008
http://weblog.infoworld.com/stratdev/archives/2008/10/new_report_outl.html

SD Times
SAFECode Guide Advises Developers on Secure Practices
Oct.8, 2008
http://www.sdtimes.com/SAFECODE_GUIDE_ADVISES_DEVELOPERS_ON_SECURE_PRACTICES/About_SECURITY_and_SAFECODE/32955

Dr. Dobb's Journal
SafeCode Releases Guidelines for Secure Code
Oct. 8, 2008
http://www.ddj.com/security/210800440

TMCNet
New Paper Studies Development Practices that Improve Software Security
Oct. 8, 2008
http://sip-trunking.tmcnet.com/topics/security/articles/42233-new-paper-studies-development-practices-that-improve-software.htm

SC Magazine UK Edition
May, 2008
http://www.scmagazine.com/uk/news/article/804392/software-safe-design/
Software: Safe by design
A new industry alliance promises to pave the way for more secure software. Is SAFECode what we've been waiting for?

Government Computer News
Oct. 23, 2007
http://www.gcn.com/online/vol1_no1/45286-1.html
IT industry creates secure coding advocacy group

vnunet.com
Oct. 23, 2007
http://www.vnunet.com/itweek/news/2201841/industry-launches-initiative
Tech industry launches initiative to boost software security
A major new industry initiative could ensure the quality and security of software

SearchSecurity.com
Oct. 23, 2007
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1278401,00.html
Tech vendors team up for secure software development

Dark Reading
Oct. 23, 2007
http://www.darkreading.com/document.asp?doc_id=137004&WT.svl=wire_1
Major Vendors Form SAFECode

eWEEK.com
Oct. 24, 2007
http://www.eweek.com/article2/0,1895,2206100,00.asp
Tech Foes Join Forces for Secure Code

Computerworld (UK)
Oct. 24, 2007
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5813
RSA 2007: Software firms to share security best practice
SAFECode is first industry-led shared security effort

FederalNewsRadio -- Daily Debrief with Amy Morris
Oct. 25, 2007
http://www.federalnewsradio.com/?sid=1278706&nid=364
(Radio Interview)
The "Justice League" of IT Security

Silicon.com (UK)
Oct. 24, 2007
http://software.silicon.com/security/0,39024655,39168921,00.htm
Tech giants team up for secure software

 

GRAPHICS

SAFECode Logo (eps) - Vector Art
SAFECode Logo (270x68 jpg) - Medium
SAFECode Logo (540x137 jpg) - Large

 

Press Release -- SAFECode Releases Free Online Software Security Training Courses Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
stacy@safecode.org
781-876-8833

FOR IMMEDIATE RELEASE

SAFECode Releases Free Online Software Security Training Courses

New e-Learning Courses Added to Security Engineering Training by SAFECode Program

San Francisco (RSA Conference) – Feb. 25, 2014 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization working to increase trust in technology products and services through the advancement of effective software assurance methods, today announced that it has released new software security training courses as part of its online Security Engineering Training by SAFECode program.

Security Engineering Training by SAFECode is an online community resource offering free security training courses delivered via on-demand webcasts. Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills.

New course available for immediate viewing include:

Product Penetration Testing 101: This course provides a foundation for security penetration testing of products. It reviews the important penetration testing concepts and shares insight into common elements of an attacker's mindset.

Cross Site Scripting (XSS) 101: This course provides viewers with a basic understanding of the core concepts behind XSS. It will help viewers recognize where in a web application they may expect to find XSS and provide guidance on preventing and remediating XSS.

Secure Java Programming 101: This course provides a basic introduction to secure coding in Java. Viewers will be introduced to the most frequent attacks and pitfalls that a Java programmer may encounter, along with techniques to avoid them. It is designed to be a starting point for those new to Java security.

In addition, SAFECode will release the following courses in the next six weeks:
Secure Memory Handling in C 101: This course provides an introduction to basic issues in secure coding in C with a focus on secure memory handling. It specifically focuses on issues associated with traditional string (char*) handling, arrays and format strings.

Using Cryptography The Right Way: This course provides an overview of how to use cryptography in a secure way and covers topics such as the uses of hashing and the differences between symmetric and asymmetric encryption. It provides examples of cryptography in action and reinforces the importance of using well-established and accepted cryptography toolkits.

These new Security Engineering Training by SAFECode courses are based on training materials donated to SAFECode by its member companies. A team of technical experts from across the SAFECode membership has reviewed and supplemented all course materials to ensure their broad applicability across diverse development environments.

Visit https://training.safecode.org today to learn more about the program and participate in its free courses. To learn more about SAFECode and SAFECode membership, as well as additional training benefits available to SAFECode members, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

###

 

Press Release -- SAFECode Expands Membership Structure Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
stacy@safecode.org
781-876-8833

FOR IMMEDIATE RELEASE

SAFECode Expands Membership Structure

Associate Membership in SAFECode Now Open to Organizations with a Commitment to Software Assurance

SAFECode Welcomes Autodesk and Codenomicon as its First Associate Members

San Francisco (RSA Conference) – Feb. 24, 2014 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization working to increase trust in technology products and services through the advancement of effective software assurance methods globally, today announced that it has expanded the organization through the creation of an Associate membership. Through this change, SAFECode membership is now open to any organization with a demonstrated commitment to software assurance, expanding the membership beyond commercial technology providers for the first time in its history. SAFECode is pleased to welcome Autodesk and Codenomicon as its first Associate members. 

“SAFECode’s membership expansion will enable us to harness valuable knowledge from a broader set of experts in service of our mission, helping us to deliver new and more diverse software assurance resources globally and more directly support a wider range of software security needs across the software development landscape,” said Howard A. Schmidt, Executive Director, SAFECode. “The new members we are welcoming today are an example of the type of diverse expertise this expansion brings to our mission and we are very excited to begin working with them and other Associate members that join behind them.”

Associate members take an active role in promoting software assurance best practices and their technical contributions will help SAFECode continue to build its body of work around software assurance. They also join SAFECode’s network of software assurance practitioners, benefitting from a unique collaboration around software assurance practices, trends and resources.

“We are very excited about this next chapter in SAFECode’s development while remaining committed to our founding vision and principles,” said Schmidt. “Software assurance is vital to preserving trust in information technology products and services. There is significant value in identifying and promoting the secure development practices that have proven both practical and effective across a broad segment of the software development landscape. We believe SAFECode is now in an even stronger position to carry out this important work.”

To preserve the unique collaboration platform SAFECode has been successful in delivering to a segment of the commercial technology provider landscape, the organization will retain its Charter-level membership on an invitation-only basis. Charter members will hold positions on the Board of Directors and play a strong leadership role in SAFECode’s overall direction.

Organizations interested in joining SAFECode can visit http://www.safecode.org/join.php to download the membership application and supporting materials.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

###

 

Press Release -- SAFECode Launches Software Security Training Program Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
stacy@safecode.org
781-876-8833

Zenobia Godschalk
ZAG Communications for the CSA
Zenobia@zagcommunications.com
650.269.8315

FOR IMMEDIATE RELEASE

SAFECode and the Cloud Security Alliance Release Guidance for the Secure Development of Cloud Applications

New Paper Outlines Practical Software Security
Recommendations to Address Threats Specific to Cloud Computing  

Orlando, Fla. – Cloud Security Alliance Congress – Dec. 5, 2013 – The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, and the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in technology products and services through the advancement of effective security assurance methods, today released new guidance for the secure development of cloud applications. The paper, "Practices for Secure Development of Cloud Applications," aims to provide practical secure development recommendations in the context of critical threats specific to cloud computing.

SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to cloud computing, and if so, to identify specific security practices in the context of identified threats. The joint technical working group analyzed existing secure software development practices and secure design considerations as outlined in the SAFECode publication "Fundamental Practices for Secure Software Development 2nd Edition" in the context of CSA guidance, including "The Notorious Nine: Cloud Computing Top Threats in 2013."

"Cloud computing has provided significant advantages to technology users of all kinds, and we have only just begun to explore the possibilities. Though the growth of cloud computing has created new security issues to address, the Cloud Security Alliance has provided the industry with a wealth of effective guidance to help mitigate many of these concerns," said Howard A. Schmidt, Executive Director of SAFECode. "SAFECode's collaboration with CSA fills an important need given the foundational role of secure software development in the effort to secure both cloud computing and the broader technology infrastructure."

While the working group's efforts confirmed that each practice identified by SAFECode as fundamental to software security applied equally to cloud software, it also identified additional practices that should be adopted by those developing software for the cloud, given the unique threats faced in that domain. This new report represents the product of that collaboration and is intended to help readers better understand and implement best practices for secure cloud software development. It offers practical secure development guidance in the areas of multi-tenancy, trusted compute pools, tokenization of sensitive data, data encryption and key management, authentication and identity management, shared-domain issues and securing APIs.

"It is our hope that by bringing together practical experience in both cloud computing and software security, we are able to offer secure development guidance that is both highly actionable and effective at addressing the unique security considerations of cloud software developers," said Said Tabet, Senior Technologist, EMC Corporation and one of the paper's primary authors. "We encourage individual enterprises to tailor our recommendations to meet their needs and to use them as part of a larger software security process that should continue to evolve alongside advancements in cloud computing."

To aid others in adopting and using these practices effectively, this paper describes each identified security practice in the context of unique attributes of cloud computing and the associated threats as identified by CSA. The recommended practices are mapped to specific threats in order to provide a more detailed illustration of the security issues these practices aim to resolve and a starting point for those wishing to learn more. Each section offers specific action items for development and security teams, as well as useful references that provide additional implementation guidance.

Practices for Secure Development of Cloud Applications is available immediately for free download at www.safecode.org and www.cloudsecurityalliance.org.
It was authored by Bryan Sullivan, Microsoft; Said Tabet, EMC; Edward Bonver, Symantec; Judith Furlong, EMC; Steve Orrin, Intel; and Peleus Uhley, Adobe Systems, Inc.

Note for CSA Congress Attendees: The paper's key authors will be discussing the paper today at the Cloud Security Alliance Congress in a panel titled, "Developing Secure Software for the Cloud: What's Unique? What's the Same?". The panel will be held on Dec. 5 at 10:15 a.m. as part of the Emerging Technology and Trends Track.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org and follow us on Twitter @safecodeforum.

About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at www.cloudsecurityalliance.org, and follow us on Twitter @cloudsa.

###

 

Press Release -- SAFECode Launches Software Security Training Program Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
stacy at safecode.org
781-876-8833

FOR IMMEDIATE RELEASE

SAFECode Launches Software Security Training Program

New Program Provides Free Online Security Engineering Courses Based on Internal Training Materials Used by SAFECode Members

Program will Help Address Gaps in Security Engineering Awareness and Education

San Francisco – Security Development Conference – May 14, 2013 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced the launch of a new community resource for software security training and released its first set of free online security engineering training courses. The program aims to help address gaps in security engineering knowledge among the software engineering workforce, a key challenge facing organizations working to improve software security.

Security engineering training by SAFECode is a new online community resource offering free security training courses delivered via on-demand webcasts. Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. SAFECode intends to add additional courses and resources to the site, including training program implementation advice based on the real-world experiences of SAFECode members, with the goal of creating an accessible and practical industry resource to support and promote software security training.

The collective experience of SAFECode’s member companies has shown that software security is most successful when it is treated as a process that reflects an individual company’s culture and unique development needs. Supporting this process through software security training is essential. In fact, an analysis of software security programs of SAFECode members revealed that each successful effort included internally developed security engineering training directed at those responsible for the development of the software they produce, including product managers, project managers, architects/designers, developers, and testers. Building on this observation, SAFECode’s new training program is designed to support the training framework outlined in its earlier paper, Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development.

“Ensuring that everyone touching the product development lifecycle has the knowledge they need to support an organization’s software security process is a fundamental challenge for any organization committed to software security success. While SAFECode’s analysis has shown that security training is most effective when aligned to an organization’s unique culture and security development process, we recognize that not every organization has the resources required to develop custom training,” said Howard A. Schmidt, Executive Director of SAFECode. “This seemed an obvious area where SAFECode members could use their internal resources to make a positive industry impact. By providing free training courses in a modular fashion, we hope other organizations can pick and choose the ones most relevant to their needs to either supplement an existing program or build the foundation for a new one.”

The initial set of courses released today covers introductory level topics and are based on training materials donated to SAFECode by Adobe after successful use in its software security program. A team of technical contributors from the SAFECode member companies reviewed and supplemented the course materials to ensure broad applicability across diverse development environments. Additional courses are already in the review process and will be added to the site on an ongoing basis. It is SAFECode’s goal to create a diverse catalog of security engineering training courses for all expertise levels as a community resource. In that spirit, comments on the course materials are encouraged so that the program and its materials can be evolved over time to best meet the needs of the community it aims to serve.

“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs,” said Schmidt. “While not a replacement for formal security engineering education at the college and university level, nor a one-sized fits all curriculum, SAFECode hopes that this new program is a step forward in addressing that knowledge gap and promoting the broad application of secure development practices.”

Visit https://training.safecode.org today to learn more about the program and participate in its free courses. To learn more about SAFECode and SAFECode membership, as well as additional training benefits available to SAFECode members, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

###

 

Press Release -- CA Technologies Joins SAFECode Download Press Release as pdf

Media Contact:
Stacy Simpson
SAFECode
781-876-8833
stacy at safecode.org

FOR IMMEDIATE RELEASE

CA Technologies Joins SAFECode

Global Provider of Information Technology Management Solutions
Becomes Newest Member of Industry-led Software Security Effort

Wakefield, Mass. – May 1, 2013 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced CA Technologies as its newest member. With membership, CA Technologies joins a group of committed contributors and technology industry leaders including Adobe Systems Incorporated, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens and Symantec Corp.

SAFECode brings together technology industry experts with real-world experience in managing complex global processes for software development to foster a trusted exchange of insights on software security; encourage broad industry adoption of proven software security practices; and drive clarity into vendor software assurance practices to empower customers to better manage risk.

“As a provider of IT management solutions that play an essential role in business operations for customers around the world, CA Technologies has a deep committment to software assurance and an innovative software security program,” said Howard Schmidt, executive director, SAFECode. “CA Technologies’ expertise in reducing risk across complex IT environments brings another level of knowledge and insight to our efforts at SAFECode.”

Sanjiv Ranjan, Vice President and Chief Information Security Officer for CA Technologies, will join SAFECode's Board of Directors and play an active role in the leadership of the association and its projects. As a new member, CA Technologies will contribute to SAFECode’s ongoing efforts to identify, share and promote security assurance best practices based on the lessons learned from real-world implementations.

“Software security has long been a priority at CA Technologies and we believe that by sharing lessons learned from our processes and programs through SAFECode, we can have a positive impact on the security of the broader IT ecosystem,” said Ranjan. “We look forward to contributing to SAFECode’s efforts to advance and promote secure software development methods.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, CA Technologies, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

###

Product and service names mentioned herein are the trademarks of their respective owners.

 

Press Release -- SAFECode Names Howard Schmidt Executive Director Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 781-876-8833
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Names Howard Schmidt Executive Director

Former White House Cybersecurity Advisor Brings More than 40 Years of International Security Expertise to Leadership of Software Security Industry Group

San Francisco (RSA Conference) – February 25, 2013 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced it has named former White House cybersecurity advisor Howard A. Schmidt as its Executive Director.

Schmidt brings to SAFECode more than 40 years of information security experience, spanning defense, law enforcement, and corporate security. Most recently, Schmidt served as Special Assistant to the President and the Cybersecurity Coordinator for the U.S. government from 2009 to 2012. In this role, he was responsible for coordinating interagency cybersecurity policy development and implementation, and for coordinating engagement with federal, state, local, international and private sector cybersecurity partners.

“SAFECode has always been focused on a technical mission – identifying and promoting the most effective methods for increasing trust in commercial technology products and services. However, we can’t do this work in a bubble,“ said Steve Lipner, Chairman of the SAFECode Board of Directors and Partner Director of Program Management, Trustworthy Computing Security for Microsoft Corporation. “We must work together with customers and governments to foster a dialogue on software assurance, and ensure that our technical efforts have the most positive impact possible on the security challenges we all face. Howard’s unmatched experience in bringing technical experts together with defense, law enforcement and business leaders will help SAFECode to not only execute its technical mission, but also increase our global reach.”

Schmidt has had significant experience leading international security associations and forums throughout his career. He has served as President of both the Information Security Forum (ISF) and Information Systems Security Association (ISSA). Schmidt also was the co-founder and first president of the Information Technology Information Sharing and Analysis Center (IT-ISAC). He was the Vice-Chair of, and Security Strategist for, the Board of Directors for (ISC)2. He is a former executive board member of the International Organization of Computer Evidence, and served as the Co-chairman of the Federal Computer Investigations Committee.

“With more headlines everyday, cybersecurity has caught the attention of business leaders and governments worldwide. Though software assurance is rarely the subject of those stories, there are experts in product security doing important work to reduce vulnerabilities in our technology infrastructure and improve its resistance to attack,” said Howard Schmidt, executive director of SAFECode. “SAFECode brings together many of our most experienced software security professionals in a unique global collaboration that can have a real impact on the security of our technology infrastructure. As its Executive Director, I look forward to working with the members to advance and promote the practice of software assurance.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Intel Corporation, Microsoft Corp., SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- Intel® Joins SAFECode -- Download Press Release as pdf

FOR IMMEDIATE RELEASE

Intel® Joins SAFECode

World Leader in Computing Innovation Latest Member to Commit to Industry-led Software Security Effort

Wakefield, Mass. – October 29, 2012 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective security assurance methods, today announced Intel® Corporation as its newest member. With membership, Intel joins a group of committed contributors and software industry leaders including Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens and Symantec Corp.

SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. In the first five years, the Forum has worked to aggressively advance an agenda that has measurably improved software security practices worldwide. Most recently, the Forum launched its Software Security Guidance for Agile Practitioners.

“The rapid advancement of threats has driven security requirements across – and more deeply within – systems than ever before,” said Stacy Simpson, policy and communications director, SAFECode. “Intel's innovations and strength in embedding security at the foundation of computing devices brings another level of expertise and perspective to our efforts.”

Jeffrey H. Cohen, Head of Product Security Assurance for Intel, will join SAFECode's Board of Directors and play an active role in the leadership of the association. As a new member, Intel will contribute to SAFECode’s ongoing efforts to identify, share and promote security assurance best practices based on the lessons learned from real-world implementations – and will take an active role in current SAFECode projects that address secure development methods and training.

Membership in SAFECode is open to commercial technology providers with significant global business activity in hardware, software and/or services and that have demonstrated a commitment, and dedicated resources, to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Releases Software Security Guidance for Agile Practitioners --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 781-876-8833
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Software Security Guidance for Agile Practitioners

New Paper Presents Security Flaws and Secure Development Practices in an Actionable Format for Agile Software Development

Wakefield, Ma. - July 17, 2012 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Practical Security Stories and Security Tasks for Agile Development Environments.” This new paper provides practical software security guidance to Agile practitioners in the form of security-focused stories and security tasks they can easily integrate into their Agile-based development environments. The paper is the outcome of a collaboration of SAFECode members working to simplify the process for addressing security assurance tasks as part of an Agile development methodology.

“A number of SAFECode members recognized the natural tension between the dynamic nature of Agile development methodologies and more formalized processes for secure software development. After working on various ways we could better insert the most important elements of the security process into a standard Agile development process, we came up with this relatively simple approach of presenting security-focused stories with associated security tasks, alongside operational security tasks and those that most often require the support of a security expert,” said Vishal Asthana, a lead author of the paper and Senior Principle Software Engineer, Product Security Group, Symantec Corp. “A small group of us have been piloting the approach within our own teams and have seen enough early value that we felt it would be beneficial to share the approach with the broader community.”

In an Agile development process, necessary changes are incorporated in a dynamic fashion. Cycles/sprints are very short, usually no more than two to four weeks, making it extremely difficult for software development teams to comply with long lists of security assurance tasks. This paper addresses this challenge by translating secure development practices into a language and format that Agile practitioners can more readily act upon as part of a standard Agile methodology. To further simplify things, the recommended security tasks are broken down by roles, including architects, developers and testers, and separately lists the tasks that most often require specialized skills from security experts.

As with SAFECode’s other work, both the security flaws and secure development practices outlined within the paper are derived from an analysis of the real-world experiences of SAFECode members. Further, in an effort to provide additional information for those interested in learning more about either the security weakness or recommended security practices, SAFECode has included Common Weakness Enumeration (CWE) references. The security-focused stories reflect the practices detailed in SAFECode’s paper, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today,” in a form that is consumable by Agile practitioners.

“SAFECode has dedicated significant resources to evaluating and improving the secure development process based on the experiences of its members in real-world implementations,” said Stacy Simpson, policy and communications director, SAFECode. “Though presented in a list format, this paper is an extension of our commitment to our process-based approach. Our goal is to present key elements of that process in a way that can be more readily acted upon by Agile practitioners. We hope that this paper will be useful to organizations that use, or plan to use, Agile methods and wish to incorporate security or enhance existing security tasks in their development process.”

“Practical Security Stories and Security Tasks for Agile Development Environments” is available for free download at www.safecode.org.

SAFECode encourages comments and contributions on this paper as well as its other publications. To contribute, please contact feedback at safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp.

Membership in SAFECode is open to commercial technology providers with significant global business activity in hardware, software and/or services and that have demonstrated a commitment and dedicated resources to software assurance.

For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Adds Siemens as Newest Member -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703 812 9199
stacy.simpson at goodharbor.net

FOR IMMEDIATE RELEASE

SAFECode Adds Siemens as Newest Member

Global Powerhouse in Electronics and Electric Engineering Joins Industry-led Software Security Effort

Arlington, Va. - Nov. 8, 2011 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced Siemens as its newest member. SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Siemens joins software industry leaders Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. in SAFECode membership.

“As one of the world’s largest and most diverse corporations, Siemens brings unique expertise and perspective to SAFECode’s efforts,” said Paul Kurtz, executive director of SAFECode. “Its experience delivering technology to the energy, healthcare and manufacturing sectors will greatly strengthen our ability to promote software security practices across a diverse ecosystem. We are looking forward to working with Siemens to build upon the positive work it is doing on software security.”

Dr. Frances Paulisch, head of the company-wide Software Initiative at Siemens, will join SAFECode’s Board of Directors and play an active role in the leadership of the association. In addition, as a SAFECode member, Siemens will join with other global technology providers in a trusted exchange on software assurance challenges and best practices. It will contribute to SAFECode’s ongoing efforts to identify, share and promote software security best practices based on the lessons learned from real-world implementations. Siemens will take an active role in current SAFECode projects that address secure development methods and training.

“Siemens recognizes the importance of software security and applies security practices across our organization,” said Dr. Paulisch. “We are looking forward to working with the other SAFECode members to share the lessons we have learned, gain insight into new ways to advance our internal programs, and positively influence the state of software security.”

Membership in SAFECode is open to commercial technology providers with significant global business activity in hardware, software and/or services and that have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG, Siemens AG and Symantec Corp. For more information, please visit www.safecode.org.

About Siemens
Siemens AG (Berlin and Munich) is a global powerhouse in electronics and electrical engineering, operating in the fields of industry, energy and healthcare as well as providing infrastructure solutions, primarily for cities and metropolitan areas. For over 160 years, Siemens has stood for technological excellence, innovation, quality, reliability and internationality. The company is the world’s largest provider of environmental technologies. More than one-third of its total revenue stems from green products and solutions. In fiscal 2010, which ended on September 30, 2010, revenue from continuing operations (excluding Osram and Siemens IT Solutions and Services) totaled €69 billion and net income from continuing operations €4.3 billion. At the end of September 2010, Siemens had around 336,000 employees worldwide on the basis of continuing operations. Further information is available on the Internet at: www.siemens.com.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Releases Updated Guidance on Secure Development Practices --
Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Updated Guidance on Secure Development Practices

Report Provides Foundational Set of Secure Development Practices Based on
an Analysis of the Real-World Actions of SAFECode Members

New Edition Outlines Methods to Help Managers Verify that Development Teams Followed Prescribed Security Practices

Arlington, Va. - February 8, 2011 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released the second edition of “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.” The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of fundamental secure development methods. The paper was jointly developed by SAFECode’s members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As with the original, this latest report from SAFECode is not meant to be a comprehensive guide to all possible secure development best practices. Rather it is meant to provide a foundational set of “practiced practices” that have been shown to be effective in improving software security in real-world implementations by SAFECode members even across diverse development environments.

“It has been more than two years since we released our first paper on secure development practices,” said Paul Kurtz, executive director of SAFECode. “In that time, the process of building secure software has continued to evolve and improve alongside innovations and advancements in the information and communications technology industry. The second edition of the paper aims to disseminate the new knowledge SAFECode has gathered, and provide new tools and improved guidance for those implementing the paper’s recommended practices.”

In addition to providing updated security practices that should be applied during the design, development and testing activities in the software development lifecycle, the new edition of the report aims to address an important challenge for those managing software security programs – the need to verify that the development teams followed prescribed security practices. For each listed practice, SAFECode has included verification methods and tools that can be used to help confirm whether a practice was applied. Further, SAFECode has included Common Weakness Enumeration (CWE) references for each practice to provide a more detailed illustration of the security issues these practices aim to resolve.

“Software vendors have both a responsibility and a business incentive to ensure software security,” said Kurtz. “SAFECode encourages software developers to not only consider, tailor and adopt the practices outlined in this paper, but to also continue to contribute to a broad industry dialogue on advancing secure software development.”

SAFECode will continue to review and update the practices in this paper based on the experiences of its members and the feedback from the industry and other stakeholders. To this end, SAFECode encourages comments and contributions, especially to the newly added work on verification methods. To contribute, please visit www.safecode.org

The second edition of the “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today” is available for free download at http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode to Host 'Supplier Perspectives on Supply Chain Security' Panel at the 2010 CIP Congress -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703-812-9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode to Host 'Supplier Perspectives on Supply Chain Security' Panel at the 2010 CIP Congress

Arlington, Va. - November 29, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, will be hosting a 'Supplier Perspectives on Supply Chain Security' panel on Wednesday, Dec. 1, 2010 from 4:30 p.m. to 5:30 p.m. at the 2010 CIP Congress, Gaylord National Resort Hotel and Conference Center, Washington, DC.

Designed to foster dialogue between information technology suppliers and critical infrastructure owners/operators on today's most pressing supply chain security issues, the session will provide an opportunity for discussion with conference attendees about needed next steps to improve supply chain security in a world of growing threats to critical infrastructures. SAFECode panelists will also offer insight into supplier best practices in software assurance and supply chain integrity based on their collective experience.

"As one of the year's most productive gatherings of security professionals in the critical infrastructure industry, the CIP Congress presents an excellent opportunity for SAFECode to engage in a dialogue with this important user community," said Stacy Simpson, policy and communications director for SAFECode. "Software assurance plays a key role in ensuring resiliency and SAFECode looks forward to an open discussion on how suppliers and users can work together to continue to improve confidence in the software relied upon by critical infrastructure owners and operators."

Participating SAFECode members, who represent the leadership of product security initiatives in some of the world’s largest IT companies, include:

  • Robert Dix - Vice President, Government Affairs & Critical Infrastructure Protection, Juniper Networks, Inc.
  • Steven B. Lipner - Senior Director of Security Engineering Strategy, Trustworthy Computing Security, Microsoft Corp.
  • Gary Phillips - Senior Director, Technology Assurance and Standards Research, Symantec Corp.
  • Dan Reddy - Consulting Product Manager, Product Security Office, EMC Corporation

CIP Congress attendees are also invited to join SAFECode for a lunch discussion Wednesday, Dec. 1 on process transparency for software assurance.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- Brainstorm 2020 A Vision for Software Security -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703-812-9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

Announcing ‘Brainstorm 2020: A Vision for Software Security’ at Black Hat USA 2010

SAFECode Hosting Community Brainstorm to Gather Forward-Thinking Ideas on How to Improve Software Security

Arlington, Va. - July 8, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, will be hosting ‘Brainstorm 2020: A Vision for Software Security’ on Tuesday, July 27, 2010 from 5:00 p.m. to 6:30 p.m. at the Black Hat USA 2010 conference, Caesars Palace, Las Vegas. This open mic, community-style brainstorm is designed to cultivate a dialogue that will help define a shared vision for software security and identify new, forward-looking approaches to achieving that vision.

SAFECode invites those interested in advancing software security to come to the event and share your thoughts on two key questions:

  • What should our vision be for software security in 2020?
  • What are your ideas for leap-ahead approaches to advance software security over the next ten years?

Members of SAFECode, who represent the leadership of product security initiatives in some of the world’s largest IT companies, will be on hand to join in the brainstorm and to gather new ideas for future work. Participating SAFECode members include:

  • Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation
  • Brad Arkin, Director of Product Security and Privacy, Adobe Systems Incorporated
  • Gary Phillips, Senior Director, Standard Tools and Technologies, Symantec Corporation
  • Janne Uusilehto, Head of Product Security, Nokia

For more information on the event, please visit http://www.safecode.org/register.php. There is no charge to attend, but registration is required and space is limited, so please register today. If you are unable to attend the event, but would like to share an idea, you may submit your idea online at http://www.safecode.org/register.php.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- Software Integrity Controls -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703 812 9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases First Industry-Developed Guidance on Software Integrity Controls

New Report Outlines Assurance-Based Approach to Securing the Software Supply Chain

Arlington, Va. - June 14, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain.” The new report provides actionable recommendations for minimizing the risk of vulnerabilities being inserted into a software product during its sourcing, development and distribution. The paper was jointly developed by SAFECode’s members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp., and is based upon an analysis of the real-world actions these companies take to secure their supply chain processes.

“Software assurance is most commonly discussed in terms of security engineering, or in other words, building security into the software as it is being developed. However, another important aspect of assurance is securing the supply chain processes for software sourcing, development and distribution to protect the integrity of delivered software,” said Paul Kurtz, executive director of SAFECode. “SAFECode’s latest paper addresses this emerging area of assurance and represents the first industry-led effort to identify and analyze the software integrity controls used by software vendors to protect software from the insertion of vulnerabilities as it moves along the global supply chain.”

The software integrity controls identified in the paper are used by major software vendors to address the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain. The controls aim to preserve the quality of securely developed code by securing the processes used to source, develop, deliver and sustain software. The controls identified in the report cover issues ranging from contractual relationships with suppliers, to securing source code repositories, to helping customers confirm the software they receive is not counterfeit. The work builds upon SAFECode’s previously released “Software Supply Chain Integrity Framework,” which defines a taxonomy for describing supply chain security in the context of software assurance.

“By basing our analysis on the actual practices and controls being used by SAFECode members today, we were able to identify software integrity controls that are not only effective, but also practical, repeatable and verifiable,” said Gunter Bitz, Head of Product Security Governance at SAP and a key contributor to the report. “We believe that broad industry adoption of software integrity controls can greatly improve customer confidence in IT systems. To help achieve this goal, SAFECode encourages other producers and distributors of software to tailor and adopt these controls into their own supply chain processes, as well as continue future study and analysis on additional methods to improve software integrity.” The paper also identifies areas that SAFECode believes deserve future industry-led collaboration and study. The ideas proposed include improved supplier management and communications along the supply chain, additional research on software testing, and the development of effective strategies for software assurance measurement. To continue the discussion, SAFECode encourages public comment on this paper and will consider feedback collected for future projects. To comment, please visit www.safecode.org.

“Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain” is available for free download at www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Adds Adobe -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Adds Adobe as Newest Member

Global Technology Leader Joins Industry-led Software Security and Assurance Effort

Arlington, Va. - Sept 29, 2009 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced Adobe Systems Incorporated as its newest member. SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Adobe joins software industry leaders EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. in SAFECode membership.

“As one of the world’s largest and most diversified software companies, Adobe brings invaluable expertise to SAFECode,” said Paul Kurtz, Executive Director of SAFECode. “We are looking forward to working with Adobe to build upon the positive work it is doing on software security. This collaboration will strengthen our ability to promote the adoption of practical software assurance methods across an increasingly diverse cyber ecosystem.”

As a SAFECode member, Adobe will join with subject matter experts to identify and share proven best practices for software assurance, promote broader adoption of software assurance best practices into the cyber ecosystem, and work with businesses, governments and critical infrastructure providers to leverage these practices to manage enterprise risks. Adobe will take an active role in current SAFECode projects that address secure development methods, software integrity in the global supply chain, and the measurability of software security.

“Adobe recognizes the importance of software assurance and applies security best practices when building products to deliver more secure, trusted and engaging user experiences,” said Brad Arkin, Director, Product Security & Privacy, Adobe and newest SAFECode Board Member. “We look forward to collaborating with SAFECode’s members to further advance software security.”

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Releases Framework for Software Supply Chain Integrity --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 812 9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Framework for Software Supply Chain Integrity

New Paper Defines Risks and Responsibilities for Securing Software in the Global Supply Chain

Arlington, Va. - July 21, 2009 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.” The paper outlines the first industry-driven framework for analyzing and describing the efforts of software suppliers to mitigate the potential that software could be intentionally compromised during its sourcing, development or distribution. The paper was jointly developed by SAFECode’s members, which include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As the software industry has become increasingly globalized, a concern has risen over the possibility that an IT solution could be compromised by the intentional insertion of malicious code into the solution’s software during its development or maintenance, which is often referred to as a supply chain attack. Though experts have concluded that the supply chain is not the most likely attack vector, vendors are taking action to mitigate supply chain risk by applying software integrity practices - the collection of processes and controls that enable a vendor to deliver customers a product that is uncompromised, thereby containing only what the vendor intends.

“While SAFECode’s members have individually implemented software integrity practices, this is the first time industry has come together to establish a common framework for ensuring the integrity of software through the global supply chain,” said Paul Kurtz, executive director of SAFECode. “This framework will serve as the foundation for subsequent work aimed at identifying and analyzing software integrity best practices and represents a critical step forward in the industry’s efforts to advance software assurance.”

Software assurance is most frequently discussed in the context of ensuring that code itself is more secure through the application of secure software development practices. However, while there has been a growing and appropriate focus on eliminating software vulnerabilities through secure development practices, this represents only one element of software assurance. The processes for sourcing, creating and delivering software must also contain integrity controls to enhance confidence that the software functions as the supplier intended.

Within SAFECode’s software supply chain integrity framework, software supply chain integrity controls address the access, storage and handling of development assets throughout the key links in the software supply chain – supplier sourcing, product development and testing, and product delivery. The controls are designed to be independent of geography, accommodate diverse sources of software components, and extend from a vendor’s suppliers to its customers. Software supply chain integrity practices and controls derive from established security and integrity principles, including:

  • Chain of Custody: The confidence that each change and handoff made during the source code’s lifetime is authorized, transparent and verifiable.
  • Least Privilege Access: Personnel can access critical data with only the privileges needed to do their jobs.
  • Separation of Duties: Personnel cannot unilaterally change data, nor unilaterally control the development process.
  • Tamper Resistance and Evidence: Attempts to tamper are obstructed, and when they occur they are evident and reversible.
  • Persistent Protection: Critical data is protected in ways that remain effective even if removed from the development location.
  • Compliance Management: The success of the protections can be continually and independently confirmed.
  • Code Testing and Verification: Methods for code inspection are applied and suspicious code is detected.

SAFECode will build upon this framework for software supply chain integrity with a focused effort to identify and analyze the most effective software integrity controls and practices that its member companies use to help ensure the integrity of their software. It will publish its findings later this year to help extend these practices across the industry and provide customers with additional insight into how to view and evaluate the processes by which software integrity is achieved.

“The complexities and interdependencies of the IT ecosystem require software suppliers to not only be able to demonstrate the security of products they produce, but also evaluate the integrity of products they acquire and use. For this reason, every software supplier has a significant stake in the identification, communication and evaluation of best practices for ensuring software integrity,” said Kurtz. “By promoting the adoption of well-defined software integrity practices across the industry, these efforts should ultimately lead to increased customer confidence in the security of IT solutions.”

A full copy of “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain” is available for free download at http://www.safecode.org/publications/SAFECode_Supply_Chain0709.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Seeks Public Comment on Guide to Secure Development Practices --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 202 262 7057
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Seeks Public Comment on Guide to Secure Development Practices

Arlington, Va. and San Francisco (RSA Conference) – April 20, 2009 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today issued a call for comments on its “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."

Originally released in October 2008, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. Due to the positive response to the paper’s publication, as well as the rapidly evolving information security environment, SAFECode will be releasing an updated version in late 2009. SAFECode is offering experts outside of its membership an opportunity to provide input into the paper’s next version in its continued effort to make the recommendations as useful and relevant as possible.

“SAFECode’s paper on development practices was based on a detailed analysis of the real world experience of its members. Opening the paper to contributions by experts outside of our membership will not only expand our frame of reference, but also enable us to include feedback from those who have worked to put the original paper’s practices into action,” said Paul Kurtz, Executive Director of SAFECode.

The brief and highly actionable paper describes each identified security practice across the software development lifecycle – Requirements, Design, Programming, Testing, Code Handling and Documentation – and offers implementation advice based on the experiences of SAFECode members.

To submit your comments, please visit www.safecode.org. SAFECode will be accepting comments until July 31, 2009.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Send Comments on Development Practices

 

Press Release -- SAFECode Shares Experiences with Security Engineering Training --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 202 262 7057
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Shares Experiences with Security Engineering Training
 
New Paper Offers a Framework for Corporate Training Programs on Secure Software Development

Arlington, Va. and San Francisco (RSA Conference) – April 20, 2009 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released a paper outlining a framework for corporate training programs on the principles of secure software development. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

“Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development” outlines the fundamentals of a security engineering training program based on an analysis of the shared experiences of SAFECode members. It is not meant to provide a curriculum, but rather a framework that can be put into place to facilitate successful training initiatives across diverse corporate cultures, development environments and product requirements. Companies can use the framework to focus on the knowledge and skills that are most important to the needs of their programs, and thus meet their corporate objectives.

“Ensuring that every person involved in defining and building software applications has the security knowledge required to do it in a secure manner is fundamental to the success of software assurance programs,” said Reeny Sondhi, Senior Manager, Product Security Assurance, EMC Corporation and a key contributor to the paper. “By sharing their security training practices, the SAFECode members are making available to the software development community a proven approach to train software developers on secure development practices.”

An analysis of the software assurance programs of SAFECode members revealed that each successful effort has been supported by internally developed security engineering training directed at those responsible for the development of the software they produce, including product managers, project managers, architects/designers, developers and testers. While the review of the training efforts of SAFECode members demonstrated that internal training programs are most effective when customized to unique corporate needs, the programs share common elements that can greatly contribute to overall success. The most important of these was the need to create a solid base of foundational knowledge across the entire product team. Every SAFECode member has found that this level of awareness training is critical to establishing a security-aware culture and changing the specific behaviors of developers and assurance professionals.

“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to information and communications technology corporations working to implement effective software assurance programs,” said Paul Kurtz, Executive Director of SAFECode. “While not a replacement for formal security engineering education at the college and university level, the experiences shared by SAFECode members in this paper reveal the important role corporate training programs play in the effort to advance software assurance.”

A full copy of “Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development” is available for free download at http://www.safecode.org/publications.php. SAFECode will update the paper periodically to reflect changes in the software assurance landscape and its work on advancing security engineering education and training.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Establishes International Board of Advisors --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Establishes International Board of Advisors

Diverse Group of Information Security Experts will Help Guide SAFECode’s Work to Improve Software Security

Arlington, Va. - Oct. 28, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has established an International Board of Advisors to help guide its efforts to advance software assurance. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

SAFECode’s International Board of Advisors is comprised of information technology experts representing government agencies, private-sector organizations and academic institutions from around the world. Its members provide third-party perspective and expertise to advise SAFECode on its efforts to advance secure development practices and promote software assurance

Members of the SAFECode International Board of Advisors include:

  • William C. Barker, Chief Cyber Security Advisor, National Institute of Standards and Technology
  • Matt Bishop, Professor, Department of Computer Science, University of California, Davis
  • Dr. Paul Dorey, Director, CSO Confidential & Chairman of the Institute of Information Security Professionals
  • Claudia Eckert, Professor, Fraunhofer Institute for Secure Information Technology
  • Zoltán Hornák, Budapest University of Technology and Economics, SEARCH Security Evaluation Analysis and Research Laboratory
  • Alan Paller, Director of Research, SANS Institute
  • Prof. Dr. Joachim Posegga, Chair of IT-Security, Institute for IT Security and Security Law (ISL), University of Passau
  • Juha Röning, Professor, University of Oulu (Finland)
  • Reijo Savola, Network and Information Security Research Coordinator, VTT Technical Research Centre of Finland
  • Dan S. Wallach, Associate Professor, Department of Computer Science, Rice University (Houston, Texas)

"SAFECode has brought together this group of renowned information security experts to help guide and inform our efforts to improve the security and integrity of software,” said Paul Kurtz, executive director of SAFECode. “We share a common belief that software assurance plays a vital role in strengthening the security of our information infrastructure and we are thrilled to have the opportunity to leverage the diverse expertise and insight of this board of advisors as we work to advance secure software development."

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Releases Guide to Secure Development Practices --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases Guide to Secure Development Practices

New Paper Identifies Secure Development Methods that have Proven Applicable and Effective across Diverse Environments

Arlington, Va. - Oct. 08, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today." Based on an analysis of the individual software assurance efforts of SAFECode members, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

"SAFECode has brought together some of the most experienced software assurance professionals in the industry to move us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered," said Paul Kurtz, executive director of SAFECode. "We have documented and released these secure development practices in an effort to help others in the industry initiate or improve their own software assurance programs and encourage the industry-wide adoption of the secure development methods outlined in this paper."

A review of the software assurance methods used by SAFECode’s highly diverse membership revealed that there are corresponding security practices that can improve software security and integrity for each stage of the software development lifecycle. The examination of these vendor practices reinforces the assertion that software assurance must be addressed throughout the software development lifecycle in order to be effective and not treated as a one-time event.

To aid others within the software industry in adopting and using these secure development best practices effectively, Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today describes each identified security practice across the software development lifecycle – Requirements, Design, Programming, Testing, Code Handling and Documentation – and offers implementation advice based on the experiences of SAFECode members. The secure development practices defined in the paper are as diverse as the SAFECode membership, spanning web-based, shrink-wrapped and database applications, as well as operating systems and embedded systems.

"Software vendors have both a responsibility and a business incentive to ensure product assurance and security," said Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft’s Trustworthy Computing Group and a primary contributor to the paper. "By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry highly actionable advice for improving software security to the benefit of both our colleagues and customers."

A full copy of Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today is available for download at http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Adds Nokia -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Adds Nokia as Newest Member

Global leader in mobile technology joins industry-led effort to advance software assurance

Arlington, Va. - March 31, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has added Nokia as its newest member. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

"As the global leader in mobile technology, Nokia brings invaluable expertise to SAFECode's efforts," said Paul Kurtz, executive director of SAFECode. "Software underpins the communications and mobile computing infrastructures we've come to rely on in so many ways. SAFECode is thrilled to have the opportunity to work with Nokia to build on the positive work the company has already done to promote assurance best practices across the mobile technology ecosystem."

As a SAFECode member, Nokia will join with subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

"The continuous development of secure technology has always been core to Nokia's commitment to its customers. Participation in SAFECode offers a valuable opportunity to extend our corporate dedication to security and positively influence the security of the communications infrastructure to the benefit of all technology users," said Janne Uusilehto, Head of Nokia Product Security. "We look forward to working with SAFECode's members to promote secure software development practices."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

About Nokia
Nokia is the world leader in mobility, driving the transformation and growth of the converging Internet and communications industries. We make a wide range of mobile devices with services and software that enable people to experience music, navigation, video, television, imaging, games, business mobility and more. Developing and growing our offering of consumer Internet services, as well as our enterprise solutions and software, is a key area of focus. We also provide equipment, solutions and services for communications networks through Nokia Siemens Networks.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- Best Practices -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Outlines Current Industry Best Practices for Software Assurance

New report aims to increase understanding and adoption of the most effective secure development
methods and integrity controls used by technology vendors

Arlington, Va. - Feb. 13, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information technology (IT) products and services through the advancement of effective software assurance methods, today released its first member report, Software Assurance: An Overview of Current Industry Best Practices. The report outlines the secure development methods and integrity controls currently used by SAFECode members to deliver high-assurance systems to government and commercial customers. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp.

"Software assurance is a vital component to ensuring the security of critical information technology resources, and information and communications technology vendors thus have an obligation to address assurance through every stage of application development," said Paul Kurtz, executive director of SAFECode. "As the initial step in our efforts to help the industry meet this important responsibility, SAFECode has identified the assurance best practices that have proven to be effective across its member companies. By sharing this information, we hope to encourage the adoption of these types of practices by other software developers and respond to the growing customer desire for greater visibility into the steps technology vendors are taking to continually improve the security of their products."

Software development processes vary by vendor according to their unique organizational structures and customer requirements. Yet regardless of the methods used, there is a core set of best practices for software assurance and security that apply to diverse development environments. The paper identifies and explains the following security best practices and controls that are currently in use by SAFECode members:

  • Security Training: A prerequisite to coding secure software is for engineers to be knowledgeable about information security issues that may affect people who use the product.
  • Defining Security Requirements: Security requirements must be defined during the early stages of product development.
  • Secure Design: The early design phase must identify and address potential threats to the application and ways to reduce those risks to a negligible level.
  • Secure Coding: The product development team must implement secure programming practices.
  • Secure Source Code Handling: The integrity and confidentiality of source code must be protected.
  • Security Testing: Specialized validation should be implemented to ensure that security requirements and secure design and coding guidelines were followed.
  • Security Documentation: Documentation for users should include explicit treatment of security issues to help customers understand how to optimally configure security controls, and how configuration options may or may not develop potential security vulnerabilities.
  • Security Readiness: Prior to releasing a product, the application developer must evaluate, document and assess risks posed by potential security gaps in the product.
  • Security Response: Any security vulnerabilities (exploited or not) reported against the deployed product should be handled through incident response mechanisms and relayed to the product development or sustaining teams to mitigate the vulnerability.
  • Integrity Verification: Products must offer customers methods to verify that the software they have acquired is indeed from their trusted vendor.
  • Security Research: Ongoing research should be conducted into new threat vectors and mechanisms to mitigate them.
  • Security Evangelism: Leaders in the area of software assurance should promote the use of best practices by discussing their practices and findings in open forums, articles, papers and books.

"Vendors who have implemented these best practices have seen dramatic improvements in software product assurance and security," said Kurtz. "We encourage all software developers and vendors to consider, tailor and adopt these practices into their own development environments. The result of efforts like these will be a higher level of end-user confidence in the quality and safety of software that underpins critical operations in governments, critical infrastructure and businesses worldwide."

In the coming months, SAFECode will issue a number of reports building on these high-level best practices to offer specific and actionable information on the key concepts, principles, and research and development activities the organization is pursuing to improve software assurance and security.

A full copy of Software Assurance: An Overview of Current Industry Best Practices is available for download at http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf. The paper also includes eight important questions that organizations should ask vendors during the procurement process to help evaluate the software assurance of products or vendor engagements.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

 

Press Release -- SAFECode Formed -- Download Press Release as pdf

Leading Technology Companies Form Industry Group to Advance Software Assurance

SAFECode to promote best practices for the delivery of more secure and reliable software, hardware and services

Paul Kurtz named executive director

Arlington, VA. and London (RSA Conference Europe) -- Oct. 23, 2007 -- A group of leading information and communications technology companies today announced the formation of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information technology (IT) products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG, and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

As the global dependence on information and communications technology has grown, users have become increasingly concerned over the integrity, security and reliability of software, hardware and services, especially those in the government, critical infrastructure and enterprise sectors. The need to reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity has never been more important than in today's increasingly complex and dynamic threat environment. To help achieve these objectives and strengthen the security of the IT ecosystem, SAFECode unites key stakeholders in an effort to advance software assurance by developing and promoting a set of methods for secure product development and integrity controls that protect software, hardware and services across the global supply chain.

While individual companies have implemented effective methods for developing and delivering more secure and reliable software, hardware and services, there has been no coordinated, industry-led effort to build upon this positive work and promote best practices to advance software assurance more broadly. SAFECode fills this critical gap by bringing together subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

  • Increase understanding of the secure development methods and integrity controls used by vendors
  • Promote proven software assurance practices among vendors and customers to foster a more trusted ecosystem
  • Identify opportunities to leverage vendor software assurance practices to better manage enterprise risks
  • Foster essential university curriculum changes needed to support the cyber ecosystem
  • Catalyze action on key research and development initiatives in the area of software assurance

To help SAFECode achieve its objectives, the organization has named Paul Kurtz, a recognized cyber security expert, as its executive director. Currently a partner at Good Harbor Consulting LLC, Kurtz most recently served as the founding executive director of the Cyber Security Industry Alliance (CSIA). Prior to CSIA, he served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush.

"Software assurance is a critical element of IT ecosystem security. By building on the positive work already done in this area by individual firms and encouraging broader adoption of proven best practices for the development and delivery of more secure technology products and services, SAFECode has a unique opportunity to significantly impact the overall security and reliability of the cyber infrastructure," said Paul Kurtz, executive director of SAFECode. "With the support of its founding members, SAFECode will work to meet the growing demand for information and dialogue on software assurance and increase the trust in IT and communications products and services."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in IT technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. In addition, SAFECode will be assembling an advisory of government leaders and critical infrastructure operators from around the globe to better understand and respond to key software assurance challenges.

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. For more information, please visit www.safecode.org.

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

 

Articles

CSO Magazine
Preserving the integrity of software through the supply chain
August 30, 2010
http://www.csoonline.com/article/607246/preserving-the-integrity-of-software-through-the-supply-chain

GSN: Government Security News
The Role of Software Integrity Practices in Government Network Security
December 4, 2009
http://www.gsnmagazine.com/cms/features/news-analysis/3038.html

Latest issue of ENISA Quarterly Magazine Online
Oct. 25, 2007
This issue focuses on Secure Software - From the World of Security Experts.
http://www.enisa.europa.eu/doc/pdf/publications/enisa_quarterly_12_07.pdf

Audio Clips / Podcasts

CSO Magazine Code Security: White House lessons, part 2
June 14, 2010
Paul Kurtz talks with CSO senior editor, Bill Brenner, on software integrity controls paper
http://www.csoonline.com/podcast/596691/code-security-white-house-lessons-part-2

CSO Magazine
Code Security: Lessons from the White House
June 10, 2010
Paul Kurtz discusses code security with CSO senior editor, Bill Brenner
http://www.csoonline.com/podcast/596515/code-security-lessons-from-the-white-house

Federal News Radio
SafeCode: 'The Supply Chain Integrity Framework'
July 30, 2009
http://www.federalnewsradio.com/index.php?nid=56&sid=1727458

Federal Security Radio
May 21, 2009
Paul Kurtz discusses software assurance with Tom Temin on Federal Security Spotlight.
http://www.federalnewsradio.com/index.php?nid=56&sid=1678843

RSA Conference Europe 2008
Oct 26, 2008
Paul Kurtz discusses the issues surrounding product security.
https://365.rsaconference.com/blogs/podcast_series_rsa_conference_europe_2008/2008/10/26/session-preview-with-paul-kurtz
Podcast

WAMU NPR: Cyber Threats
Jun. 25, 2008
Diane Rehm talks with Paul Kurtz, Alan Paller, Stephen Spoonamore, and Congressman Jim Langevin about growing concerns over cyber attacks in the public and private sectors.
http://podcastdownload.npr.org/anon.npr-podcasts/podcast/305/510071/91879571/WAMU_91879571.mp3
51:20 Podcast

IT Week Podcast: RSA Conference Europe
Oct. 25, 2007
This week David Neal talks to Phil Muncaster about the latest news coming from the annual RSA Conference Europe event in London's ExCel.
MP3 (5.6 MB) - http://images.vnunet.com/v7_static/itw/podcasts/IT-Week-Podcast-25-October.mp3
Podcast