SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. We created this blog so that we could keep you posted on new developments in software assurance and our ongoing work in this area.
Please note that the opinions expressed in this blog are those of the writer or contributor and do not necessarily reflect the opinions of SAFECode or its member companies.
During a wide-ranging interview on a recent episode of “Security Weekly” – a security podcast hosted by Paul Asadoorian – SAFECode’s Steve Lipner discussed how organizations and developers can take advantage of SAFECode’s new threat modeling and third party component best practices white papers. Here are some of Steve’s insights from the discussion. To hear […]READ MORE
Izar Tarandach & Brook S.E. Schoenfield A couple of years ago I was engaging a new team into our Secure Development Life cycle (SDL) process. One of the initial activities is Threat Modeling, and in discussion with a product architect, I was asked, “We have a working design here, and now you want to come […]READ MORE
By Tania Skinner, Product Security Strategist, Intel Corporation The Managing Security Risks Inherent in the Use of Third-party Components White Paper is now available. Below is a brief preview of the document. I encourage you to download it and share it with your colleagues. The use of third-party components (TPCs), including open source software (OSS) […]READ MORE
By Steve Lipner and Eric Baize After every news cycle involving major technology players and zero-day vulnerabilities in the products or services they provide, suspicious comments questioning technology players’ commitment to software security assurance inevitably seem to resurface. The recent Wikileaks release of documents allegedly from the CIA describing zero-day exploits in major online services […]READ MORE
The SAFECode board and members join the cybersecurity community in mourning the loss of Howard Schmidt as an industry pioneer, colleague, collaborator, and friend. Howard’s contributions to the cybersecurity community have been recognized in many ways, most recently by his receiving the 2017 Award for Excellence in the Field of Information Security. The SAFECode members […]READ MORE
By Eric Baize, Chairman of the Board, SAFECode SAFECode members crowded into Jillian’s directly across from the Moscone Center in San Francisco on February 15, 2017 for SAFECode’s Second Annual RSA Conference Breakfast. Seventeen SAFECode members were honored with recognition awards for their work at the event on four white papers that are currently […]READ MORE
Recent security incidents exploiting weaknesses in Internet of Things (IoT) devices have demonstrated that software assurance is no longer just an issue for traditional information technology suppliers and end user organizations. Here’s why: Recent attacks have shown that connected devices can be exploited to launch large scale attacks Connected Internet-of-Things (IoT) devices cannot hide their […]READ MORE
All of us at SAFECode are looking forward to working with our new Executive Director Steve Lipner, appointed December 1, 2016. While all of the SAFECode board members have been privileged to work closely with Steve over many years, we thought you’d enjoy learning more about him. We took a moment to ask Steve a […]READ MORE
Five SAFECode board members visited Washington DC earlier this month and met with representatives of the US Federal government interested in cybersecurity. With the growing awareness amongst policy makers of the importance of software security assurance and its critical role in cybersecurity, it is important to further educate policy makers on this complex issue and […]READ MORE
(By Vishal Asthana – firstname.lastname@example.org) Most organizations either have their own central security teams or rely on external security consultants for building and rolling out AppSec programs. As a starting point, a couple of cooperative development teams are selected for a “pilot rollout”. Upon seeing successful implementation results from a subset of the pilot candidates (development teams), the security […]READ MORE