SAFECode’s Member-Only Brown Bag Series Continues
Join SAFECode for our virtual webinar series! Each month, SAFECode experts will share information about software and supply chain security topics that are currently top of mind. All sessions are one hour in length and include plenty of time for Q&A and discussion. Last month, we had more than 65 members join us live and many more who watched the recording!
Contact the Member Helpdesk for more information and to register
New Blog Series Debuts this Month
A key principle guiding SAFECode’s work has always been our belief that secure software development can only be achieved with an organizational commitment and a holistic assurance process. But what does that mean in practice? Simply put, it means that a mature secure development lifecycle (SDL) includes more than just a checklist of secure development practices. It also encompasses all aspects of a healthy business process, such as program management, stakeholder engagement, deployment planning, program measurement, and continuous improvement. This month we launched a new blog series on the Fundamentals of Managing Software Security that expands on the SDL planning and implementation guidance describes SAFECode’s Fundamental Practices for Secure Software Development. Our first post focuses on Culture Development.
Welcome New (and Returning) Members
SAFECode would like to extend a warm welcome to our newest members – Accenture, Splunk and UTC – and our returning member, Veracode. Please reach out and introduce yourself to the new names in our working groups!
SAFECode offers a number of ways for employees of member companies to collaborate with each other. The best way to stay apprised of these opportunities is by joining our Member portal. ou can also join a standing working group initiative by contacting the Member Helpdesk. Current opportunities are listed below:
By The Numbers
Join this group to help develop and conduct member company surveys regarding secure development practices, the findings of which will be published in an annual report for members and will feed future projects. The team is currently focused on using data to characterize and understand the secure development training/learning programs across member companies.
SAFECode recently teamed up with the Cloud Security Alliance to launch a new working group that will tackle issues related to DevSecOps in pure Cloud environments. The working group will work to create a transparent and comprehensive software development and security management lifecycle that leverages all the components of DevSecOps and Security Champions to ensure timely and full functioning application deployment with security development practices integrated at every stage.
Open Source Evaluation
Attempts to backdoor popular open source components like NPM and PyPi, along with attacks on Docker and Debian Aptitude repositories are on the rise. Research has been presented that demonstrated that it’s possible to identify some patterns in code that could be indicators of backdoor behavior. However, this alone proved insufficient to determine malicious backdoor intent vs insecure coding. How to identify backdoor intent, along with other ideas to identify indicators of backdoor behavior in Open Source Software will be discussed in this group.
Fuzzing is an effective technique for finding security issues as well as robustness and resiliency of software. Joining this group will provide an opportunity to share experiences and perspectives on fuzzing with others at SAFECode. We will cover the various types of fuzzers and the pros and cons of each type. Additionally, we will touch on how to customize your fuzzers to improve their efficacy.
Personal and Data Privacy
Join this group: 1) To help developers understand a broad set of issues and concerns that the Software they’re trying to design and build may be susceptible to; 2) To promote an everyday person’s awareness / and what to do (or not do) to protect themselves; and 3) To determine what the noise and light discipline strategy is for consumer’s self-ownership of data protection (and privacy).
Despite a lot of available information, we have yet to produce a scientific basis for application security. Advice tends to fall within the realm of isolated observations, collective experience, or confirmation bias. This conference would be an invitation-only event with a pre-determined agenda around the science of security for academics and industry practitioners. The proposal for this conference is to consider the limits of our practice and extend the body of knowledge through a more scientific approach.
Skills Assessment Framework
There are many skills and skills management issues in software security, including the need to quickly identify a person’s current skillset against a baseline skillset in order to hire better employees, up-skill existing and transferring employees, and create knowledge ‘journeys’ for current skilled people. This group will work together to explore the development of a series of documents or worksheets that allow a company to create their own Skills Assessments and Knowledge Journeys based on the standards provided by SAFECode. It will also consider a deliverable describing how SAFECode member companies manage skills assessment in their own organizations.
Actions: The actions needed to create a skills assessment are:
An optimal outcome is a series of documents or worksheets that allow a company to create their own Skills Assessments and Knowledge Journeys based on the standards provided by SAFECode. A less optimal (but valid) outcome is a document describing how SAFECode member companies achieve answer the Needs (above) in their organizations.
Is your company a Member and you have an idea for collaboration you don’t see here? Contact us today and we’ll give you the details on how to submit a new project, event, and working group ideas.
SAFECode Members can contact our Member Helpdesk for information on event sign-ups, working group opportunities, and any other questions they may have. For more specific inquiries, see below.
SAFECode Technical Leadership Council
The Technical Leadership Council (TLC) meets monthly and is comprised of representatives from each SAFECode member. Its main objective is to drive SAFECode’s technical work – helping to launch and support small member groups focused on identifying and analyzing common best practices around various software security topics, and providing ongoing opportunities for members to learn from one another on software security issues and challenges. To reach the TLC, contact: firstname.lastname@example.org
SAFECode Marketing and Events
Looking to collaborate with SAFECode on an upcoming event or marketing imitative? Have a question about a recent promotion? SAFECode’s marketing and events team is always interested in hearing from our members. You can reach us here email@example.com
SAFECode Board of Directors
Need to reach our leadership team? The SAFECode Board of Directors is comprised of members from each of our Charter member companies and meets each month. You can reach them by contacting: firstname.lastname@example.org
SAFECode Technical Support
Having trouble with the SAFECode collaboration portal? See an issue on the website? Our Member Helpdesk can help: email@example.com