SAFECode Frequently Asked Questions

What is SAFECode’s Mission?

As a center of excellence for vendor software assurance practices, SAFECode unites subject matter experts with unparalleled experience in managing complex global processes for software sourcing, development and delivery to:

  • Encourage broad industry adoption of proven software security, integrity and authenticity practices
  • Drive clarity into vendor software assurance practices to empower customers and other key stakeholders to better manage risk
  • Foster a trusted exchange of insights that advance software assurance practices

What are SAFECode’s Principles?

Members have a shared commitment to a number of Principles that ensure consistency among their approach to software assurance practices. Please view the SAFECode Principles here.

What is Software Assurance?

Software Assurance encompasses a developing set of methods and processes for ensuring that software functions as intended without introducing vulnerabilities, malicious code, or defects that can bring harm to the end user.

What is the Software Assurance Forum for Excellence in Code (SAFECode)?

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

What Does SAFECode Do to Promote Software Assurance?

SAFECode unites subject matter experts to identify, analyse and promote best practices based on their real-world experience in implementing, managing and/or supporting product security programs. Some examples of our work include:

  • Development and publication of numerous pieces of practical guidance on key issues in software security, including our flagship publication, “Fundamental Practices for Secure Software Development,” and some of the first industry-developed guidance on software integrity in the supply chain.
  • Management of a community resource for software security training that includes free online security engineering training courses called Security Engineering Training by SAFECode. These courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills.
  • Hosting of numerous information sharing sessions among members that offer a unique opportunity to share information, discuss challenges and learn from industry peers in a trusted environment.

SAFECode publications and programs are not only designed to be helpful to other technology organization looking to improve their own secure development efforts, but also to customer organizations seeking to understand how industry approaches software security. All SAFECode published guidance is free and available via this website.

Is SAFECode a Lobbying Organization?

SAFECode is neither a standards body nor a lobbying association. Rather it is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. As a collaborative effort of leading technology companies committed to software assurance excellence, SAFECode provides a forum for subject matter experts to come together to work on some of the most challenging issues faced by the IT industry. There is no single solution or “right way” to address software assurance. Indeed, there are many different ways to succeed. SAFECode provides an opportunity to bring the best methods together in a manner that helps vendors and their customers better manage risk.

Why is SAFECode Necessary Now?

While individual companies have implemented effective methods for developing and delivering more secure and reliable software, hardware and services, there has been no coordinated, industry-led effort to build upon this positive work and promote best practices to advance software assurance more broadly. SAFECode fills this critical gap by bringing together subject matter experts to: 1) Encourage broad industry adoption of proven software security, integrity and authenticity practices; 2) Drive clarity into vendor software assurance practices to empower customers and other key stakeholders to better manage risk; and 3) Foster a trusted exchange of insights that advance software assurance practices.

Who are SAFECode’s Members?

SAFECode membership is open to any organization with a demonstrated commitment to software assurance. We are proud to count some of the world’s largest information and communications technology companies among our members.  See members

How Can My Organization Become a Member of SAFECode?

SAFECode is looking for hands-on members who want to benefit from the experiences of others and actively contribute to advancing the art of software assurance. We welcome any organization with a demonstrated commitment to software assurance. If this describes you, then get involved with SAFECode. For more information, please visit our Membership page or contact us at info@safecode.org.

What is Security Engineering Training by SAFECode?

Security engineering training by SAFECode is an online community resource offering free software security training courses delivered via on-demand webcasts.

Covering issues from preventing SQL injection to avoiding cross site request forgery, the courses are designed to be used as building blocks for those looking to create an in-house training program for their product development teams, as well as individuals interested in enhancing their skills. All courses are free and published under a Creative Commons license and open, non-commercial usage of the content is encouraged.

Why did SAFECode create this program?

The collective experience of SAFECode’s member companies has shown that software security is most successful when it is treated as a process that reflects an individual companies culture and unique development needs. Supporting this process through software security training is essential. In fact, the lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to organizations working to implement software security programs.

Though our analysis has shown that security training is most effective when aligned to an organization’s unique culture and security development process, we recognize that not every organization has the resources required to develop custom training. We hope that this program can help other organizations overcome this challenge and provide them with the tools they need to create a training program that works for their environment.

Who is the program aimed at helping?

While the courses will be helpful for individuals looking to improve their skills, SAFECode’s primary focus is on assisting product security managers in finding materials useful for developing and supporting an in-house training program. SAFECode has also published a framework for developing a corporate security engineering training program to further assist in the training program development process.

How does SAFECode create content for training courses?

These courses are based on the software security curriculum being successfully used within SAFECode’s member companies; in other words, the content has been road-tested. The courses available now are based on training modules being used within Adobe, and benefit from additional review and supplementing by a team of technical contributors from across the SAFECode membership to ensure their broad applicability. While keeping programs up-to-date is always a challenge, especially with a free public service, we hope that the community will alert us to issues and new updates. This is a key reason why the site was designed to encourage comments on the courses from users.

Are there other resources available?

SAFECode recommends that product security managers use the training materials in the context of a broader software security process. We frequently publish guidance to help support that development and maturation of such a process, including its flagship work, Fundamental Practices for Secure Software Development. It has also published a framework for setting up a corporate security engineering training program.

SAFECode intends to add additional courses and resources to the site, including training program implementation advice based on the real-world experiences of our members, with the goal of creating an accessible and practical industry resource to support and promote software security training.

Is this program a replacement for formal security engineering education?

No, this program should be seen as a supplement to, and not a replacement for, formal education. In fact, SAFECode is a strong advocate for security engineering education at the college and university level and hopes that as software assurance programs advance, a more standardized curriculum can be developed for both full-time programs and ongoing continuing education. However, corporations cannot wait for these developments to occur before integrating secure development principles into their development lifecycles and it is our experience that this knowledge gap can be addressed through corporate training initiatives.

Do I have to join SAFECode to use its training courses?

No, the use of all SAFECode training courses is free to the public. All courses are published under a Creative Commons license and open, non-commercial usage of the content is encouraged.

Do I have to register with the site to view the courses?

No, registration is not required to view the courses. However, registered users receive a number of benefits, including the ability to download course for offline viewing. Registration is also required to comment on the courses. We encourage course participants to leave feedback on the courses. Your feedback will be used to help keep the material up-to-date and ensure it best meets the needs of the community it aims to serve. Finally, registered users will receive email updates when new courses become available.

Can I download the courses for offline viewing?

Registered users can download the videos for offline viewing. To register, visit our Training section.

Are these the only courses available?

SAFECode will be adding new courses to the site on an ongoing basis. Our goal is to create a diverse catalog of security engineering training courses for all expertise levels as a community resource. If you have suggestions on future topics to address, please let us know. We would love to hear from you.

Can we customize SAFECode training courses for our organization?

Yes, any organization may take the content from the SAFECode courses and customize it to their environment. In fact, doing so is encouraged. Please just abide by our creative commons license agreement (http://creativecommons.org/licenses/by-nc/3.0/deed.en_GB). You’ll see the only restriction is that the content cannot be used for commercial purposes. SAFECode members do have access to the source materials for these courses, which does provide an opportunity for easier customization.

I am having trouble viewing a course? What is wrong?

First, check your Internet connection. If you continue to have problems, please contact us and let us know.

I manage a publication/association/other organization and I would like to host the content on our site. Is this allowed?

As long as it is not intended for commercial use, SAFECode is happy to have others to host the material. Our goal is to make these courses as widely available as possible so they may serve the community. Please contact us at for more details.

Copyright © 2007-2018 Software Assurance Forum for Excellence in Code (SAFECode) – All Rights Reserved
Privacy Policy

Share
Share