By Stacy Simpson, SAFECode At SAFECode, we often talk about the need to look beyond the technical requirements of implementing a secure software development lifecycle and think more expansively about creating a holistic software security program that encompasses both strong technical practices and healthy business processes. Some of the non-technical aspects of managing a mature […]

By Steve Lipner, SAFECode Welcome to San Francisco! SAFECode is excited to participate in this year’s RSA Conference and we look forward to connecting with our members and others in the cybersecurity community. If you are a SAFECode member, we hope to see you at our Annual Member Breakfast on Wednesday. In addition to offering […]

Coverage-guided fuzzing has been used for over a decade and has gained popularity in recent years as more and better tools became available. In this post, we explain what coverage-guided fuzzing is, and why it may often be a great choice for you.

By Souheil Moghnie, NortonLifeLock with Kostya Serebryany, Google, Rohit Shambhuni, Autodesk and Adith Sudhakar, VMWare We are continuing our Focus on Fuzzing blog series with a quick overview of the different types of fuzzers. Understanding the taxonomy of fuzzing can help when thinking about selecting the right fuzzing tool for your project and determining whether […]

By Souheil Moghnie, NortonLifeLock and Kostya Serebryany, Google with Lisa Napier, VMWare; Rohit Shambhuni, Autodesk; and Adith Sudhakar, VMWare At SAFECode, we members often compare notes on secure development practices that are proving effective in our individual software security efforts. One of the most commonly cited of these practices is fuzzing. Fuzzing, sometimes referred to as […]

By Anthony Dulay, Boeing with Souheil Moghnie, NortonLifeLock and Loren Brent Cobb, Boeing In the digital age, data is everywhere. More people than ever before are using internet-connected, application-centric devices that collect and use some type of data about their users. In fact, according to statista.com there are approximately 75.44 billion devices connected to the […]

By Kostya Serebryany, Software Engineer, Google
C/C++ memory (un)safety remains a significant threat to security and stability of user-space applications and OS kernels. More than half of all high/critical security vulnerabilities across all major ecosystems are memory safety bugs [1], [2]

Tania Ward is a Consultant Program Manager for Dell Technologies and a member of the SAFECode Technical Leadership Council. Tania Ward has lived the role of a Security Champion throughout her career and is now passing on her wisdom and expertise to others. In her current role at Dell Technologies, Tania oversees the security training […]

By Steve Lipner, Executive Director     This week, the National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST) within the U.S. Department of Commerce is hosting National Cybersecurity Career Awareness Week (NCCAW). The goal is to focus on local, regional, and national interest to inspire, educate, and […]

*First published September 20, 2019

By Steve Lipner, Executive Director, SAFECode

Do a quick search on secure development and you’ll find pages and pages of advice and best practices. You could relatively quickly create a long checklist of best practices and how-tos covering everything from how to create a threat model to the dos and don’ts of avoiding cross site-scripting mistakes. Newer articles and papers might focus in on applying secure development to mobile applications or making it work in a DevOps…