Developing Secure Software: SAFECode’s Path to Impacting Change

Posted on

Eric Baize, SAFECode Chairman and Senior Director, Product Security and Trusted Engineering for EMC Corporation

2016 is off to a fast start for our industry and it is no different for SAFECode. It is possible that there has been no more important time than now to focus on software security assurance. Software has become so ubiquitous that it underlies everything from the cars we drive to the thermostats that heat our homes. These devices succeed or fail based on the software that powers them. And while successful hacks of cars or refrigerators may seem intriguing and new, the fundamental rule of software security assurance has remained constant: every piece of software has bugs, and a small subset of these bugs are vulnerabilities that may be exploited for attacks.

However, something important has changed – the stakes. No longer are the impacts of exploited software vulnerabilities limited to the emails we send, the credit cards we use online or the business documents we store. Rather, software vulnerabilities could potentially disrupt countless facets of our daily lives. We believe that software security assurance is a critical first line of defense against these disruptions.

At SAFECode, we have always been passionate about the importance of software security assurance. For more than 8 years we have worked to identify, analyze and promote the most effective software security assurance processes and practices. And we believe that with the unique combination of knowledge and experience we have gathered together, we can have an immensely positive impact on the security of the software ecosystem.

As we work on plans, deliverables and projects for the next year, I wanted to take a step back and talk about what drives the work we do and how we make decisions on which projects to tackle. Our key starting point is to think specifically about how we can support the three key stakeholder groups that play a central role in this important effort – software professionals, technology developers and technology consumers.

Software Professionals

For our purposes, software professionals are the individuals involved in creating software, as employees of a technology company or an IT department, as self-employed developers, or as contributors to open source projects. As security professionals, we often lament the fact that most software developers are graduating college with little to no understanding of software security. While some engineering programs offer software security courses, they are often electives rather than required courses. We need to continue to encourage and support universities in bolstering their software security curriculum and requirements for computer science students.

However, efforts to improve formal software security assurance education, while important for the long term, only address future graduates and a part of the audience. Thanks to successful initiatives that have made learning to code more accessible, we have a growing population of self-taught developers. In fact, 48 percent of software professionals never received a degree in computer science. We must also reach out to this growing segment of the developer population.

At SAFECode, we believe that awareness of software security assurance is an integral part of mastering software engineering. A key objective of ours is to not only support universities in expanding software security assurance curriculum, but also to provide direct support to those who missed out on formal security education, whether it was because it was not offered when they were students, or because they were self-taught. As such, the SAFECode Training program will continue to be a key focus in 2016 and beyond.

Technology Developers

Technology developers are the companies that leverage software to deliver a product or service. This includes technology companies, many of which like EMC, Intel, SAP and Microsoft, are members of SAFECode, but it is interesting and important to note the diversity of this category. Technology developers now include everyone from Netflix to General Motors.

Technology developers play a central role in any effort to improve software security and they are rightfully subject to high expectations from customers. Sometimes the expectations can be unrealistic – it is not possible to produce vulnerability-free software, and there is no magic tool that will create secure software. However, it is possible to greatly minimize the risk of vulnerabilities through a comprehensive software security process, and we believe that every technology developer has a responsibly to implement such a process.

SAFECode has long supported technology developers in their efforts to design, implement and improve their software security assurance programs. In fact, providing technical and process guidance has been a central part of our mission since our founding. Our technology working groups analyze the practices and processes of our members, look for those methods that have had the most positive impact, and then document those for others to use to build or improve their own programs. Many of our key publications, like the Fundamental Practices for Secure Software Development, are highly-cited as practical guidelines for technology companies working to build, improve or expand their internal software security assurance programs. Our technology working groups are always collaborating on new and important projects, or discussing emerging challenges. We look forward to sharing some of the results of these efforts in the coming year.

Technology Consumers

The last key stakeholder in this ecosystem is the buyer of technology. They have a fundamental need to understand and manage the risk introduced by new technology they bring in to their organizations. However, their efforts are hampered by the lack a broadly-accepted standard to help them assess the security of the software they purchase. This had led to frustration not only for customers, but also for technology developers. Without a commonly accepted standard or assessment method, many ad hoc approaches are in use today. While well-intentioned, many of these approaches do not reflect the fact that software security is the result of a holistic process, and not a single practice or tool, and thus fail to deliver the level of assurance or insight that customers seek.

At SAFECode, we not only believe that technology developers have a responsibility to implement a software security assurance process, but that they also must be transparent as to what that process entails. This is the one of the most effective ways for suppliers to support buyers seeking to manage technology risk. We have focused on achieving this largely through our efforts to publicly document the process and practices in use by our members. However, in response to numerous requests, we have recently taken this one step further and provided a framework on how to assess the software security practices of commercial technology buyers.

This was our latest release and we are continuing to review feedback from both customers and suppliers so that we may define a path forward for this project in the upcoming year. If you have thoughts to share, we’d love to hear them. Simply drop us a note at feedback@safecode.org.

Moving Forward

We are really excited to harness the passion of our individual contributors to work toward supporting each of these key stakeholder groups. Many of our members are already hard at work on our 2016 projects and we look forward to sharing the results of their efforts with you. To continue the conversation, individuals leading these specific project areas will provide an overview of available resources and how they can be used, as well as preview new efforts, via this blog. Stay tuned…

Software Assurance Forum for Excellence in Code (SAFECode) - All Rights Reserved