Tech vendors team up for secure software development

By Dennis Fisher, Executive Editor 23 Oct 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A group of technology heavy hitters, including Microsoft Corp. and Symantec Corp., joined forces on Tuesday to launch an organization devoted to finding ways to improve the quality and reliability of software.

We want this to be a bridge between the technical folks and the non-technical ones. The ideas have to make sense to policy-makers as well as developers. Paul Kurtz, executive director, SAFECode

The group, dubbed SAFECode (Software Assurance Forum for Excellence in Code), also includes EMC Corp., SAP AG and Juniper Networks Inc. The organization will be headed by Paul Kurtz, a security industry veteran with years of experience in Washington who also helped found the Cyber Security Industry Alliance. Kurtz will serve as executive director of SAFECode.

The goals of the organization center on the need for better education of developers on safe coding practices, whether it's at the university level or in a professional setting. Microsoft, of Redmond, Wash., has been a leader in the development and implementation of a comprehensive process for secure code development, known as the Security Development Lifecycle. The company has used the process internally for years and recently has begun explaining it to partners and other software companies. Now, Microsoft officials and executives from the other SAFECode members will work to put some of those best practices that Microsoft and others have developed down on paper in a format that is useful to a broader audience.

Secure software development: SANS: New exam program about more secure code The SANS Institute has unveiled a skills assessment and certification exam program designed to test the secure coding skills of software programmers. Should fuzzing be part of the secure software development process? Fuzzing, a common software-testing method, should not be your only vulnerability assessment technique. Report seeks more secure world for software development: A task force of academics, businesspeople and government officials recommends software companies do more to secure their products.

SAFECode officials plan to work with software vendors, colleges and universities and others to raise awareness about the need for more secure code and evangelize some of the methods that are known to work. The organization will form three advisory groups, one each comprising representatives from government, academia and critical infrastructure. SAFECode will work with each group to help address the unique requirements and challenges they have.

"This is a complex issue, and there is lots of work to do to see where best practices work and where they may need to be adjusted," Kurtz said. "There may be times where some of them don't work for certain groups, and that's fine. We want this to be a bridge between the technical folks and the non-technical ones. The ideas have to make sense to policy-makers as well as developers."

SAFECode is the second major initiative devoted to secure coding practices to launch this year. In March, The SANS Institute announced its Software Security Institute , a program designed to educate and certify developers in secure coding. Kurtz said the idea for SAFECode grew out of discussions that executives from Microsoft, Symantec and other members were having about the topic of software assurance.

"Microsoft has put together its own best practices and has been very good about getting them out there to customers and partners, but they started hearing from customers that they wanted Microsoft to work with other vendors and that the industry needed to work together on this," Kurtz said. "We're explicitly saying we're not a lobbying organization. But what I suspect we'll see is that the lobbying organizations like ITAA and CSIA will begin to point to us and the best practices once we get them down on paper."

Tags: Software Development Methodology,  Business Management: Security Support and Executive Communications,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Software Development Methodology Software security threats and employee awareness training Adobe patches ColdFusion vulnerability blocking website attack nCircle statistics show rising Web application vulnerabilities Common PCI questions: Web application firewalls or source code review? Juniper pulls ATM hacking presentation from Black Hat V.i Labs integrates Google maps to track software piracy Software Piracy pandemic needs government role, better vendor antipiracy plans Software piracy losses total $53 billion, study finds Google study backs browser silent auto update feature Secure software development starts before coding begins Business Management: Security Support and Executive Communications Dawnay Day AV India's information security risk management mantras RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession How to align an information security framework to your business model Service-focused security offers best value to organization Cybersecurity Act of 2009: Power grab, or necessary step? Information security skills must include communication, expert says Mimic the IBM approach to security at RSA

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bypass  (SearchSecurity.com) Common Weakness Enumeration  (SearchSecurity.com) debugging  (SearchSoftwareQuality.com) fuzz testing  (SearchSecurity.com) heuristics  (SearchSoftwareQuality.com) sandbox  (SearchSecurity.com) threat modeling  (SearchSecurity.com) trigraph  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary