Seeking Comments on Development Practices Recommendations; Released New Paper on Training

Today is an exciting day for SAFECode – two new announcements, a new blog to talk about them in, and a board of directors meeting.

We have brought our members together for a board meeting at the RSA Conference to hammer out some details on our current projects, plan our future efforts and meet with some members of our International Board of Advisers.  It should be a good day of brainstorming, idea-sharing and networking.

We are also issuing a call for public comments on our paper “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.” Based on an analysis of the individual software assurance efforts of SAFECode members, this paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security.

We’ll be updating the paper in late 2009 and would like to give software security experts outside of our membership a chance to provide comments.  This will not only expand our frame of reference, but will also give those who have put some of the paper’s recommendations into action a chance to provide feedback.  Based on the feedback we have received, we really think this paper has the potential to help others in the industry with their own secure development efforts, as well as shed some light for customers on the practical steps leading software companies are taking to help ensure software security.  We believe opening up the paper to experts outside the membership will only make it stronger and we look forward to the seeing the feedback.

So we encourage you to submit your comments – we’ll be accepting them until July 31.  And, if you are at the RSA Conference and would like to learn more about this paper, we’ll be giving an overview in a panel discussion on Wednesday.

We also just released a paper outlining a framework for building a corporate training program on secure software development.  We have found that all of our members have internally developed training programs to support their software assurance programs, so we wanted to see what these programs had in common.  While it is clear that training programs are most effective when they are customized to corporate needs, we were able to uncover a number of fundamental principles that all of our members’ programs share and we hope that providing this insight is useful to anyone who might be thinking about starting their own training initiatives.

I will be at the RSA Conference all week, along with many of our SAFECode members.  Any of us would be happy to answer any questions on SAFECode, so let me know if you want to meet up.