Over 50 SAFECode members and industry leaders came together for a dynamic SAFECode Day 2024! The event featured exciting project updates, lively discussions, and an inspiring keynote from Anne Neuberger, Deputy Assistant to the President, who emphasized the crucial role of cybersecurity in today’s digital landscape. It was great to hear our members share their successes and ideas for enhancing software security. Here are some highlights from the event.

The Dawn of a New Era: SAFECode 2.0

SAFECode Member Council Chair John Heimann and Vice Chair Manuel Ifland kicked off the event with an overview of SAFECode 2.0 and its renewed focus on member collaboration and inclusivity. This new structure, with its single membership model, ensures that all members—regardless of size —have an equal voice in shaping the organization’s direction. SAFECode continues to maintain its secure, NDA-protected environment, so that discussions and best practices can be shared with trust and transparency. With the emergence of new cybersecurity regulations, such as Europe’s Cyber Resilience Act and upcoming U.S. legislative efforts, SAFECode is committed to keeping our members remain at the forefront of software security innovation that meets the needs of commercial and government customers.

Reflecting on 17 Years of Achievements

Executive Director Steve Lipner took us on a journey through SAFECode’s 17-year history. From our early days of defining the content of a software security program to our current role as thought leaders in secure software development, every step has been a collaborative effort of our dedicated members and our partnerships with other organizations, such as Cloud Security Alliance, BSA-The Software Alliance, NIST, and the Center for Internet Security.  Steve also acknowledged Board Chair Eric Baize from Dell Technologies, who has been actively involved with SAFECode since its formation, for being a great leader and a driving force for the organization’s success.

Inspiring Keynote: A Call to Action

We were honored to have Anne Neuberger, Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology deliver an inspiring keynote. She underscored the importance of software security to national security and economic health and acknowledged SAFECode’s contributions to advancing secure software practices.

Anne led the development of the first presidential executive order on cybersecurity, which focused on secure software development and government procurement of secure code and noted that an upcoming Biden Administration executive order will continue this focus. She also discussed the Cyber Trust Mark program, which is designed to enhance security for IoT devices in a non-regulatory way. This program aims to set a government standard for security, like the Energy Star label, and will soon invite companies to submit products for testing. Anne encouraged SAFECode members to provide feedback on the new executive order and ideas for scaling the Cyber Trust Mark program.

An Update on Pioneering Software Security Projects

SAFECode members shared updates on the following projects in flight:

  • Executive Order/Attestation: Under the leadership of Steve Lipner, the group has responded to government cybersecurity initiatives, such as the U.S. Executive Order 14028, and the CISA Secure by Design initiative, and provided feedback to address the real-world considerations that impact the effectiveness of mandates and requirements. The group also continues to monitor significant developments, such as the European Union’s recent cybersecurity legislation.
  • Post-Quantum Cryptography: The Post Quantum Cryptography (PQC) group has been at the forefront of raising awareness about the quantum computing threat to classical cryptography and helping SAFECode members and the wider community prepare for the transition to quantum-resistant cryptography. Judy Furlong from Dell cited the six educational blog posts the group created to help navigate these complex issues. In the coming months, the group will host a brown bag session to update SAFECode members on their progress and the on topics such as cryptographic agility, which is currently under review by NIST.
  • Code Integrity: This group, led by Matt Lyon from Dell, has published several blogs addressing threats to code integrity and the security capabilities needed to preserve code integrity. The group’s efforts concluded with an April 2024 webinar entitled Foundations of Trust. While the working group has concluded its formal efforts, there is potential to revive it if new challenges arise around code integrity, particularly in preventing or detecting software manipulation.

New Topics to Explore

There was also a spirited discussion around some newly formed projects in flight. Josh Brown White from Microsoft talked about the potential for detecting malicious software source code using static analysis. The amount of proprietary source code is the highest it’s ever been, and many cyber-attacks have targeted developers. Josh provided an overview of the concept of static analysis to detect these attacks and minimize risk. He noted that collaboration on this topic is key, as no single organization can tackle these challenges alone.

Another focus area is the European Union Cyber Resilience Act (CRA), a new piece of legislation that introduces common cybersecurity rules. It requires all manufacturers and suppliers in the EU market to ensure secure software development and incorporate cybersecurity throughout a product’s entire lifecycle, covering all products with digital elements (both hardware and software). Manuel Ifland from Siemens Energy is leading a working group to help SAFECode members respond to the CRA, which is expected to come into force by the end of the year, beginning with a 36-month transition period for implementation. The group will also facilitate the exchange of best practices and strategies to support CRA compliance.

John Heimann from Oracle discussed the topic of AI and machine learning (ML) security, which involves unique challenges that extend beyond traditional software development. While secure development practices apply to AI and ML, the security of model development and maintenance introduces additional considerations. Both open-source and proprietary technologies are used in AI, so ensuring the security of AI models requires attention to potential tampering and weaknesses in both environments. Efforts are underway in open-source consortia to address these issues, but there’s a need for security experts and data scientists with a security focus to contribute to issues spanning open-source and proprietary AI and ML.

Other new topics included balancing effectiveness and cost-effectiveness in cybersecurity solutions. It’s crucial to identify solutions that not only meet regulatory requirements but also provide the best value in reducing risk. Additionally, there’s a growing need to find ways to assist smaller companies in implementing effective cybersecurity measures.

The event ended with a toast to all our SAFECode members who contributed to the organization’s mission over the past year. Under the new SAFECode 2.0 framework, we’re excited to expand our collaboration on both new and existing initiatives. This inclusive approach will allow us to shape the future of software security together more effectively.

If you’re passionate about advancing secure software practices and want to be part of a dynamic community, now is the perfect time for your organization to join SAFECode. Contact us to learn more about becoming a member today!