Member Information

This section of the website is designed to support current SAFECode members. If your company is a member of SAFECode, feel free to contact our Member Helpdesk for more information on anything you see on this page. Not sure if you are a Member? Check your membership status here. Like what you see on this page but not currently a Member? Learn more about joining the collaboration.

This Month’s Highlights

Greetings members! Spring is nearly here and there are many activities and initiatives are happening within the organization. Take a look and see what interests you. And if you want us to explore a topic you don’t see listed, give us a shout with your idea here.

SAFECode Member-Only Brown Bag Series

Each month, SAFECode members have the opportunity to learn how their member peers are tackling common challenges in software and supply chain security via SAFECode’s virtual members-only webinar series. All sessions are one hour in length and include plenty of time for Q&A and discussion. Members are welcome to join us live or catch up with what they missed on-demand.

Future Brown Bags are currently on hold.
For more information on how you can access our sessions or organize one of your own, please email us here. 

New Working Groups

Worst Practices

Problem statement

  • Over the past few years, enterprise customers have become more sophisticated in inquiring about the security practices of their product vendor or cloud providers. Some customers are leveraging existing questionnaires such as the one developed by FS-ISAC or the Cloud Security Alliance; others have developed their own. Either way, vendors still face questions and requirements from acquirers that are at odds with current best practices. An example is asking a vendor to provide early access to vulnerabilities that have been reported but not remediated; another is asking a vendor to allow an unconstrained penetration test of the live site for an online service.  The goal of the WG is to list the most commonly encountered “worst practices” in vendor questionnaires to educate purchasers and propose alternative approaches better aligned with industry best practices

Approach and Deliverables

  • The proposed approach is to hold 2 two-hour sessions with a moderator and scribe where interested representative from SAFECode member companies will be invited to contribute to:
    • Creating a list of the most common worst practices
    • Educating readers on why each worst practice is in fact a worst practice
    • Suggesting alternative approaches wherever possible

One session would discuss vendor questionnaires for off-the-shelf products and the other session would focus on cloud services. The work would result in the creation of short papers or blog post that could be leveraged by vendors to educate customers or by other industry initiatives as a reference for the creation of future standardized vendor questionnaires.

Supply Chain

The term “supply chain security” is broadly used by governments, vendor and customer alike. However, it often refers to different classes of problems depending on who is using it:

  • For customers, supply chain security refers to the security practices of the vendor and its upstream suppliers,
  • For vendors, supply chain security refers to the security practices of the suppliers impacting its products:
    • For software vendors, it is often mostly focused on the security of open source software
    • For hardware vendors, it focuses on the authenticity and integrity of the supplier components integrated in its products
  • For government, supply chain security is often tied to the country of origin of the vendor, the product or its component

The goal of the working group is to offer a taxonomy of supply chain security that lists the actual threats against supply chain and can help SAFECode communicate clearly with vendor, customers and governments.

Open Source

The strategic goal of the Open Source Software Working Group (OSS WG) is to produce SAFECode deliverables that:

  1. Help the producers of Open Source Software product more trustworthy code – with fewer vulnerabilities and greater confidence in the absence of backdoors, and,
  2. Assist development organizations integrating open source software components in gaining more confidence in the security assurance of the OSS code they consume. their code gain more assurance from the open source code they consume.

As a first deliverable of the OSS WG will be a list of the possible risk scenarios impacting open source software resulting in vulnerabilities or backdoors in the code integrating open source components. A useful reference for this first deliverable can be found here: Getting Serious About Open Source Security

Self Serve Speaker Center

Interested in representing SAFECode as a speaker at an industry event? We welcome this and have created this self-service speaker center to assist in your efforts. We only ask that you represent yourself as a SAFECode member when using these materials and promote and cite SAFECode’s work appropriately. Please visit the Member Portal in find a list of upcoming events and sample speaking abstracts. For questions, please contact us here.

New Fuzzing Series

At SAFECode, we members often compare notes on secure development practices that are proving effective in our individual software security efforts. One of the most commonly cited of these practices is fuzzing. Fuzzing, sometimes referred to as fuzz testing, is an automated software testing technique that involves providing invalid, unexpected, random, or semi-random data as input to a computer program. The program is then monitored for exceptions such as hangs, crashes, failing built-in code assertions, or potential memory leaks.

This Fuzzing series will discuss things such as: what types of fuzzing exist and which one to choose in a specific case; what tools are available for various languages and ecosystems; how and why to fuzz continuously; and, how fuzzing fits into the larger software development lifecycle.

View the series here.

Collaborate with Your Peers at Other Member Companies

SAFECode offers a number of ways for employees of member companies to collaborate with each other. The best way to stay apprised of these opportunities is by joining our Member portal. Our working groups are always open to new members Take a look below and reach out at [email protected] if you’d like to get involved.

SAFECode recently teamed up with the Cloud Security Alliance to launch a new working group that will tackle issues related to DevSecOps in pure Cloud environments. The working group will work to create a transparent and comprehensive software development and security management lifecycle that leverages all the components of DevSecOps and Security Champions to ensure timely and full functioning application deployment with security development practices integrated at every stage.

Fuzzing Techniques
With the Fuzzing Working Group within SAFECode, we’re providing a high-level description of what Fuzzing is and the various types of Fuzzers and the Pros and Cons of each. We are also diving deep into what types of data can/should be Fuzzed and how. Furthermore, the Fuzzing Working Group will be shedding some light on the value of Fuzzing as well as the issues that can be found and mitigated by doing the proper Fuzzing technique.

Personal and Data Privacy
The Personal Data Privacy Group writes about topics concerning the awareness and protection of individual data and data-generating products. Individual user data is essentially digital ore: It can be collected, analyzed, refined, packaged into distinct products, and monetized. PDP blog is primarily focused on defining the elements of consumer digital footprints, and effective strategies to protect and secure that data. Personal Data Privacy is also an ethical and legal responsibility on behalf of consumers in the enterprise. Monthly, PDP explores the landscape of data topics from consumer IoT to data-aggregation and corporate data stewardship.

Post Quantum Crypto
As you know, the eventual move toward quantum computing will make some cryptographic algorithms obsolete. While we don’t quite know exactly when this shift will happen, it does raise a need to start thinking about the notion of “crypto-agility,” or the ability to move seamlessly from conventional cryptographic algorithms to the quantum-safe crypto algorithms. Though this discussion may seem focused on a topic for the distant future, SAFECode has been discussing NIST’s current efforts in this area and there are a number of post-quantum algorithm candidates already available for experimentation.

SAFECode’s RSA discussion on crypto-agility will focus primarily on the implications of post-quantum algorithms for developers. Some SAFECode members, including Microsoft, have already begun experimenting in this area and should have some important insights to share. The goal of the discussion is to support SAFECode members in their efforts to build-in crypto-agility, as well as define some concrete steps developers can take today to ensure their applications are ready for post-quantum cryptography.

Security Trainings
Are you interested in expanding your training curriculum? SAFECode identifies and promotes best practices for developing and delivering more secure and reliable software, hardware and services. One of SAFECode’s missions is to create a solid base of foundation security knowledge across a product team utilizing the free software security training provided from SAFECode.  Join this discussion group to share best practices and delve into how SAFECode can provide a skills path framework which would further the knowledge and training across member product teams.Is your company a Member and you have an idea for collaboration you don’t see here? Contact us today and we’ll give you the details on how to submit a new project, event, and working group ideas.

Member Helpdesk

SAFECode Members can contact our Member Helpdesk for information on event sign-ups, working group opportunities, and any other questions they may have. For more specific inquiries, see below.

SAFECode Technical Leadership Council
The Technical Leadership Council (TLC) meets monthly and is comprised of representatives from each SAFECode member. Its main objective is to drive SAFECode’s technical work – helping to launch and support small member groups focused on identifying and analyzing common best practices around various software security topics, and providing ongoing opportunities for members to learn from one another on software security issues and challenges. To reach the TLC, contact: [email protected]

SAFECode Marketing and Events
Looking to collaborate with SAFECode on an upcoming event or marketing imitative? Have a question about a recent promotion? SAFECode’s marketing and events team is always interested in hearing from our members. You can reach us here [email protected]

SAFECode Board of Directors
Need to reach our leadership team? The SAFECode Board of Directors is comprised of members from each of our Charter member companies and meets each month. You can reach them by contacting: [email protected]

SAFECode Technical Support
Having trouble with the SAFECode collaboration portal? See an issue on the website? Our Member Helpdesk can help: [email protected]

Copyright © 2007- Software Assurance Forum for Excellence in Code (SAFECode) – All Rights Reserved
Privacy Policy