I recently came across an article in SD Times published a few weeks ago called Major Software Makers Fail Security Transparency Test. Apparently the editors had asked a group of software vendors for information on the principles that they use for writing secure software. Unfortunately, they did not receive many responses to their requests, which led to the conclusion that the vendors surveyed lack the proper transparency on their secure development efforts.
I commend them for asking this question because I believe that sharing this information is critical to the advancement of secure development practices. But since I spent most of my career in public relations, I understand that sometimes a lack of a response to a request like this is often an issue of timing or simply a mix-up, so I am hesitant to agree outright with the conclusion that a company’s inability to respond to one survey is directly attributable to an unwillingness to share information, or as is also proposed in the article, a sign that maybe they do not have something good to talk about.
However, the article does raise an important issue. There is a desire for more clarity on the methods that software vendors use to help ensure the security of the software they produce – and until recently this information was hard to find. In fact, this was big part of the reason SAFECode was formed. Our members recognized that while individual companies have implemented effective methods for developing and delivering more secure and reliable software, there was no coordinated, industry-led effort to share this positive work and build upon it to advance software assurance more broadly.
And while there is still more work to be done, I think we have made strong progress in this area as SAFECode continues in its second year. All of our members – EMC, Juniper Networks, Microsoft, Nokia, SAP and Symantec – have actively participated in an open exchange of information about their software assurance programs. We have released much of the information they have provided in three freely available papers – each of which is based on a detailed analysis of the methods used by our individual member companies to help ensure the security of the software they produce:
• Software Assurance: An Overview of Current Industry Best Practices: This paper identifies and explains the high-level security best practices and controls that are currently in use by SAFECode members.
• Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today: This paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. Its recommendations are based on an analysis of the individual software assurance practices used by SAFECode members.
• Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development: This paper outlines the fundamentals of a security engineering training program based on an analysis of the shared experiences of SAFECode members.
As the SD Times articles states, perhaps not every software company is as ready to share, but I did want to take this opportunity to point out that SAFECode is a place you can go to find this open exchange of information. And as our industry continues to mature, we hope that others will join us in our effort to foster productive information sharing and collaboration on secure development practices.