Today, we were very excited to release the 2nd edition of our Fundamental Practices for Secure Software Development paper. The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of foundational secure development methods.

I would like to take a minute to thank the primary authors of the paper for their tireless efforts over the last nine months in getting this paper ready to publish. SAFECode is fortunate to have a membership made up of folks who aren’t afraid to roll up their sleeves and get to work.

  • Mark Belk, Juniper Networks
  • Matt Coles, EMC Corporation
  • Cassio Goldschmidt, Symantec Corp.
  • Michael Howard, Microsoft Corp.
  • Kyle Randolph, Adobe Systems Inc.
  • Mikko Saario, Nokia
  • Reeny Sondhi, EMC Corporation
  • Izar Tarandach, EMC Corporation
  • Antti Vähä-Sipilä, Nokia
  • Yonko Yonchev, SAP AG

It’s been more than two years since we released the original edition of this paper and it continues to be SAFECode’s most in-demand publication.  In fact, it has been downloaded more than 50,000 times since its release.  But in that time, the process of building secure software has continued to evolve and improve.  The second edition of the paper disseminates the new knowledge SAFECode has gathered since the original’s release and provides new tools and improved guidance for those implementing the paper’s recommended practices.

Here is what’s new:

  • We refined the paper to focus on the core areas of design, development and testing as some of the other related areas from the first paper, such as training and secure code handling, were given detailed treatment in other SAFECode papers.
  • We expanded and updated the guidance and references for each of the listed practices.
  • We added a new design practice to the list – sandboxing – which has seen a small number of high profile implementations since our original paper was released.
  • We included Common Weakness Enumeration (CWE) references for each of the listed practices to provide a more detailed illustration of the security issues these practices aim to resolve. We also hopes this provides a more precise starting point for those looking to learn more.
  • We added Verification guidance for each listed practice to help address an important challenge for those managing software security programs – the need to verify that the development teams correctly followed prescribed security practices. This was a significant new addition, and an emerging area of work, so we are looking forward to gathering more feedback from readers on this section. However, our hope is that this will be another tool to aid in the successful implementation of these practices.

One of the more striking aspects of our work in putting this paper together was an opportunity to review the evolution of software security practices and resources in the two years since the first edition was published.  Though much of the advancement is a result of innovation happening internally within individual software companies, an increase in industry collaboration has amplified these efforts and contributed positively to advancing secure development practices across the industry. To keep this positive trend going, we encourage other software providers to continue to contribute to a broad industry dialogue on advancing secure software development.

For our part, we will continue to review and update the practices in this paper based on the experiences of our members and the feedback from the industry and other experts.  To this end, SAFECode encourages your comments and contributions, especially to the newly added work on verification methods.  (So congratulations authors on today’s release, but your work is not yet done!)