Yesterday, Veracode released the 3rd Volume of its State of Software Security report (registration required). This version of the report was especially interesting to us at SAFECode given its focus on the software industry. Unfortunately, the report’s conclusions highlighted what most of us already knew – the software industry has more work to do in the area of software security. The software security community will take time to digest the data and its significance, but at SAFECode we’re already focused squarely on how we as an industry can continue to get better.
SAFECode has brought together subject matter experts in an effort to identify vendor best practices for secure software development. To do this, our members roll up their sleeves and compare notes on their software security programs – the challenges they face, the lessons they’ve learned, the successes they’ve had and what they think others can learn from their experiences. We’ve taken the best of this information, analyzed it and shared it in an effort to help others in the software industry initiate or improve their own programs. We think commercial software providers will find our papers and reports practical, actionable and relevant to their environments.
Whether motivated by the Veracode report or just the nagging sense that your organization can do better, we encourage anyone interested in improving the security of the software they produce to take a look at this work and see how they can apply it to their own environment.
- Fundamental Practices for Secure Software Development, 2nd Edition
- This report provides a foundational set of secure development practices based on an analysis of the real-world actions of SAFECode members. It also highlights tools and techniques to help verify that development teams are following prescribed security practices.
- Overview of Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain
- The report provides actionable recommendations for minimizing the risk of vulnerabilities being inserted into a software product during its sourcing, development and distribution.
- Framework for Software Supply Chain Integrity
- This report takes a step back to define an industry-driven framework for analyzing and describing the efforts of software suppliers to mitigate the potential that software could be intentionally compromised during its sourcing, development or distribution.
- Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development
- This paper outlines the fundamentals of a security engineering training program based on an analysis of the shared experiences of SAFECode members.
Finally I’d like to emphasize that at SAFECode, we’ve learned a lot from the innovations and successful efforts at individual companies and this would not be possible without our members’ commitment to collaboration and their willingness to share information. Reports like Veracode’s also represent an effort to share information and new data points to consider as we, and others, continue our efforts to improve software security. So I’d like to thank Veracode for sharing this information with the community. And – shameless plug alert – I’d also like to encourage other commercial software vendors interested in working together to make our industry better to take a closer look at SAFECode and consider joining our efforts.