SAFECode members are passionate about software security, and it is because of their efforts that SAFECode is well respected in the greater technology ecosystem. On March 1, 2022, more than 60 software professionals from our member organizations came together to celebrate our achievements and look ahead to what we hope to accomplish this year.
We noted the accomplishments of our working groups, who collaborate on developing solutions to common challenges that our industry faces. In 2021, We shared our knowledge through brown bag webinars; blog posts on cryptography, software security, code integrity and the Executive Order; our highly viewed secure development training courses; and our comments on the draft NIST guidelines relating to the Executive Order.
We also recognized the partnerships we’ve developed with organizations such as the Cloud Security Alliance, Open-Source Security Foundation, BSA-The Software Alliance, NIST, Center for Internet Security, and the recently launched Nonprofit Cyber coalition.
Our ranks continue to grow and in 2021, we welcomed our newest associate members Cloudyiron, Secure Code Warrior, and Siemens Energy. We count some of the industry’s most knowledgeable and dedicated software security experts among our members. They don’t just talk about doing things, they get things done.
One of the highlights of SAFECode Day was a presentation by our guest speaker Murugiah Souppaya, a computer scientist in the Computer Security Division of the Information Technology Laboratory at the National Institute of Standards and Technology. Murugiah is a well-respected advocate for modern security technology and leads many cybersecurity projects for NIST. His talk was about NIST’s Secure Software Development Framework (SSDF) – including SAFECode’s contributions to its development – and how it is being used to support the EO. He focused on the NIST guidance around the security of the software supply chain and provided updates about the EO and current SSDF projects in flight, including the development of an SSDF baseline for open-source software.
We also celebrated the achievements and future focus of our Projects in Flight – projects that are recommended by our members.
- Post Quantum Cryptography: This group published three blog posts on crypto agility, with plans for more. They continue to partner with NIST to review the draft NCCoE Migration to PQC and are also investigating prototyping.
- Executive Order WG: This group was specifically formed to discuss and provide feedback to the preliminary guidelines published by NIST in response to the May 2021 Cybersecurity Executive Order. Within weeks of the release of the EO, SAFECode had submitted position papers, participated in workshops, and commented on drafts. They continue to monitor government activities in response to the EO and share plans and approaches for compliance.
- DevSecOps (liaison with Cloud Security Alliance): This group published a pillar document on Bridge Compliance and Development, with plans to publish additional pillar documents and technical papers.
- Open-Source Software: SAFECode is working in partnership with the Open-Source Security Foundation to improve security within the open-source ecosystem by sharing resources and best practices.
- Security Training: This group will be evaluating SAFECode’s existing training courses and developing a sustainable security training strategy to ensure materials stay current with industry demands. They are also investigating ways to provide more customized training for SAFECode members.
- Code Integrity: Started in September 2021, This group, which started in September 2021, is creating content (blogs and webinars) that provide operational guidance on what is essential for code integrity.
- Operational Learning & Sharing: This is another new project for SAFECode that will center its activities around the pros and cons for learning tools and best practices.
- Common Requirements for Suppliers of Code: This new project will focus on defining requirements for code suppliers and an associated verification framework.
- Threat Modeling at Scale: This new collaboration between SAFECode and Boston University, brings together leaders from academia and industry to address the challenges around threat modeling.
- Software Bill of Materials: This new project will focus on how SBOMs can be practically applied and maintained – a topic that has been getting a lot of attention.
All these projects are addressing challenges that our members face, and the working groups are always happy to have more voices join the discussion. If you would like to get involved and your organization is a SAFECode member, contact us at [email protected] and we will connect you!
The event ended with a virtual toast to all the hard work and efforts of our staff, leadership, and members. It was a great opportunity to come together to see what others have been doing.
If you like what you read and your organization is not a SAFECode member, please reach out to learn more.