SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. We created this blog so that we could keep you posted on new developments in software assurance and our ongoing work in this area.
Please note that the opinions expressed in this blog are those of the writer or contributor and do not necessarily reflect the opinions of SAFECode or its member companies.
By Stacy Simpson, SAFECode At SAFECode, we often talk about the need to look beyond the technical requirements of implementing a secure software development lifecycle and think more expansively about creating a holistic software security program that encompasses both strong technical practices and healthy business processes. Some of the non-technical aspects of managing a mature […]READ MORE
By Steve Lipner, SAFECode Welcome to San Francisco! SAFECode is excited to participate in this year’s RSA Conference and we look forward to connecting with our members and others in the cybersecurity community. If you are a SAFECode member, we hope to see you at our Annual Member Breakfast on Wednesday. In addition to offering […]READ MORE
Coverage-guided fuzzing has been used for over a decade and has gained popularity in recent years as more and better tools became available. In this post, we explain what coverage-guided fuzzing is, and why it may often be a great choice for you.READ MORE
By Souheil Moghnie, NortonLifeLock with Kostya Serebryany, Google, Rohit Shambhuni, Autodesk and Adith Sudhakar, VMWare We are continuing our Focus on Fuzzing blog series with a quick overview of the different types of fuzzers. Understanding the taxonomy of fuzzing can help when thinking about selecting the right fuzzing tool for your project and determining whether […]READ MORE
By Souheil Moghnie, NortonLifeLock and Kostya Serebryany, Google with Lisa Napier, VMWare; Rohit Shambhuni, Autodesk; and Adith Sudhakar, VMWare At SAFECode, we members often compare notes on secure development practices that are proving effective in our individual software security efforts. One of the most commonly cited of these practices is fuzzing. Fuzzing, sometimes referred to as […]READ MORE
By Anthony Dulay, Boeing with Souheil Moghnie, NortonLifeLock and Loren Brent Cobb, Boeing In the digital age, data is everywhere. More people than ever before are using internet-connected, application-centric devices that collect and use some type of data about their users. In fact, according to statista.com there are approximately 75.44 billion devices connected to the […]READ MORE
By Kostya Serebryany, Software Engineer, Google
C/C++ memory (un)safety remains a significant threat to security and stability of user-space applications and OS kernels. More than half of all high/critical security vulnerabilities across all major ecosystems are memory safety bugs , 
Tania Ward is a Consultant Program Manager for Dell Technologies and a member of the SAFECode Technical Leadership Council. Tania Ward has lived the role of a Security Champion throughout her career and is now passing on her wisdom and expertise to others. In her current role at Dell Technologies, Tania oversees the security training […]READ MORE
By Steve Lipner, Executive Director This week, the National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce is hosting National Cybersecurity Career Awareness Week (NCCAW). The goal is to focus on local, regional, and national interest to inspire, educate, and […]READ MORE
*First published September 20, 2019
By Steve Lipner, Executive Director, SAFECode
Do a quick search on secure development and you’ll find pages and pages of advice and best practices. You could relatively quickly create a long checklist of best practices and how-tos covering everything from how to create a threat model to the dos and don’ts of avoiding cross site-scripting mistakes. Newer articles and papers might focus in on applying secure development to mobile applications or making it work in a DevOps…READ MORE