A group of technology heavy hitters, including Microsoft Corp. and Symantec Corp., joined forces on Tuesday to launch an organization devoted to finding ways to improve the quality and reliability of software.
The group, dubbed SAFECode (Software Assurance Forum for Excellence in Code), also includes EMC Corp., SAP AG and Juniper Networks Inc. The organization will be headed by Paul Kurtz, a security industry veteran with years of experience in Washington who also helped found the Cyber Security Industry Alliance. Kurtz will serve as executive director of SAFECode.
The goals of the organization center on the need for better education of developers on safe coding practices, whether it's at the university level or in a professional setting. Microsoft, of Redmond, Wash., has been a leader in the development and implementation of a comprehensive process for secure code development, known as the Security Development Lifecycle. The company has used the process internally for years and recently has begun explaining it to partners and other software companies. Now, Microsoft officials and executives from the other SAFECode members will work to put some of those best practices that Microsoft and others have developed down on paper in a format that is useful to a broader audience.
SAFECode officials plan to work with software vendors, colleges and universities and others to raise awareness about the need for more secure code and evangelize some of the methods that are known to work. The organization will form three advisory groups, one each comprising representatives from government, academia and critical infrastructure. SAFECode will work with each group to help address the unique requirements and challenges they have.
"This is a complex issue, and there is lots of work to do to see where best practices work and where they may need to be adjusted," Kurtz said. "There may be times where some of them don't work for certain groups, and that's fine. We want this to be a bridge between the technical folks and the non-technical ones. The ideas have to make sense to policy-makers as well as developers."
SAFECode is the second major initiative devoted to secure coding practices to launch this year. In March, The SANS Institute announced its Software Security Institute , a program designed to educate and certify developers in secure coding. Kurtz said the idea for SAFECode grew out of discussions that executives from Microsoft, Symantec and other members were having about the topic of software assurance.
"Microsoft has put together its own best practices and has been very good about getting them out there to customers and partners, but they started hearing from customers that they wanted Microsoft to work with other vendors and that the industry needed to work together on this," Kurtz said. "We're explicitly saying we're not a lobbying organization. But what I suspect we'll see is that the lobbying organizations like ITAA and CSIA will begin to point to us and the best practices once we get them down on paper."