Here in the U.S., the pumpkin spice flavor is everywhere and the weather is (hopefully) cooling off, but many of SAFECode’s initiatives are heating up! Take a look and see what interests you. And if you want us to explore a topic you don’t see listed, give us a shout with your idea here.
Here’s What’s Hot:
Reach out to us at [email protected] for more information or to get involved.
Take our Survey Today
In order to make us better, we need your feedback! Take a few minutes today and respond to our annual member survey so we can make sure SAFECode is doing everything it can to serve your needs. Find the link in our Member Portal or email us at [email protected] and we’ll send it along. Please respond by EOD 4 October. Thank you in advance for your time and thoughtfulness.
Call for Researchers
For the first phase of its efforts, the Security Summit Working Group is looking for researchers to help influence an agenda for a working session at a 2020 conference (HotSOS or IEEE SecDev at this point). Please see https://cps-vo.org/group/SoS/ and https://secdev.ieee.org/2019/Home/ )
We will use the agenda to create a working session in partnership with one of the conferences mentioned above. Thereafter, time involvement will vary depending on sub-working groups and any para-research initiatives. Contact [email protected] today if you’d like to help!
The SAFECode Board is Headed to Washington, D.C.!
The Board of Directors is planning a number of face-to-face meetings in Washington, D.C. this October to work together on current SAFECode initiatives, plan for the future and make sure we are doing everything possible to execute on our collective vision. Have an issue, idea or concern you’d like to see raised? Now would be a great time to reach out to your company’s Board member and let them know what you are thinking.
Brown Bags are Back in Session
Join SAFECode for our Members-only virtual webinar series! Each month, SAFECode experts will share information about software and supply chain security topics that are currently top of mind. All sessions are one hour in length and include plenty of time for Q&A and discussion.
SAFECode Members-only Webinar: De-identification as Information Security
Thursday, Oct 17, 2019
11am – 12pm (EDT)
Personal data represents an opportunity for data processors and risk to the individuals described. In this webinar, I will outline the problem, discuss information theory as a lens through which to view the problem, and finally analyze some of the solutions proposed as a way to leverage our enormous capacity to process data while protecting the interests of the individual.
Speaker: Erik Service, Security Consultant at Security Compass, is a security consultant with Security Compass. Professional interests include data privacy, application security, and organizational culture change. His 20 year career has mix-and-matched contracts with technology firms, financial institutions, academia and healthcare. Erik is based in Toronto and holds degrees from McGill, Sheridan, and the University of Ottawa.
Interested in proposing a topic or hosting a session? Submit your proposal to [email protected] and we’ll be in touch.
Be Sure to Stay in Touch
Follow us on Twitter and Linked in and be sure you are signed up to receive our Member newsletter.
SAFECode offers a number of ways for employees of member companies to collaborate with each other. The best way to stay apprised of these opportunities is by joining our Member portal. Our working groups are always open to new members Take a look below and reach out at [email protected] if you’d like to get involved.
By The Numbers
Join this group to help develop and conduct member company surveys regarding secure development practices, the findings of which will be published in an annual report for members and will feed future projects. The team is currently focused on using data to characterize and understand the secure development training/learning programs across member companies. The By the Numbers Group has been developing a member survey to characterize and understand the secure development training/learning programs across member companies. We meet every other week and will be sending the survey out this fall. We are still looking for a Lead, please reach out to [email protected] if you are interested.
SAFECode recently teamed up with the Cloud Security Alliance to launch a new working group that will tackle issues related to DevSecOps in pure Cloud environments. The working group will work to create a transparent and comprehensive software development and security management lifecycle that leverages all the components of DevSecOps and Security Champions to ensure timely and full functioning application deployment with security development practices integrated at every stage.
Open Source Evaluation
Attempts to backdoor popular open source components like NPM and PyPi, along with attacks on Docker and Debian Aptitude repositories are on the rise. Research has been presented that demonstrated that it’s possible to identify some patterns in code that could be indicators of backdoor behavior. However, this alone proved insufficient to determine malicious backdoor intent vs insecure coding. How to identify backdoor intent, along with other ideas to identify indicators of backdoor behavior in Open Source Software will be discussed in this group.
With the Fuzzing Working Group within SAFECode, we’re providing a high-level description of what Fuzzing is and the various types of Fuzzers and the Pros and Cons of each. We are also diving deep into what types of data can/should be Fuzzed and how. Furthermore, the Fuzzing Working Group will be shedding some light on the value of Fuzzing as well as the issues that can be found and mitigated by doing the proper Fuzzing technique.
Personal and Data Privacy
The Personal Data Privacy Group writes about topics concerning the awareness and protection of individual data and data-generating products. Individual user data is essentially digital ore: It can be collected, analyzed, refined, packaged into distinct products, and monetized. PDP blog is primarily focused on defining the elements of consumer digital footprints, and effective strategies to protect and secure that data. Personal Data Privacy is also an ethical and legal responsibility on behalf of consumers in the enterprise. Monthly, PDP explores the landscape of data topics from consumer IoT to data-aggregation and corporate data stewardship.
In 2019, we have yet to produce a scientific basis for application security. It is still largely an art and vulnerabilities keep happening. The Security Summit WG is working on an industry roundtable with a pre-determined agenda for academics and practitioners to share and present around Security Science. The goal is to extend the Software Security Body of Knowledge through academic/industry collaboration and production of practically useful material based on scientific rigor. In addition to SAFECode members, the group has reached out to academic institutions, industry groups, and the IEEE to gauge interest in a joint effort. So far the response has been positive.
Skills Assessment Framework
There are many skills and skills management issues in software security, including the need to quickly identify a person’s current skillset against a baseline skillset in order to hire better employees, up-skill existing and transferring employees, and create knowledge ‘journeys’ for current skilled people. This group will work together to explore the development of a series of documents or worksheets that allow a company to create their own Skills Assessments and Knowledge Journeys based on the standards provided by SAFECode. It will also consider a deliverable describing how SAFECode member companies manage skills assessment in their own organizations.
Actions: The actions needed to create a skills assessment are:
An optimal outcome is a series of documents or worksheets that allow a company to create their own Skills Assessments and Knowledge Journeys based on the standards provided by SAFECode. A less optimal (but valid) outcome is a document describing how SAFECode member companies achieve answer the Needs (above) in their organizations.
Is your company a Member and you have an idea for collaboration you don’t see here? Contact us today and we’ll give you the details on how to submit a new project, event, and working group ideas.
SAFECode Members can contact our Member Helpdesk for information on event sign-ups, working group opportunities, and any other questions they may have. For more specific inquiries, see below.
SAFECode Technical Leadership Council
The Technical Leadership Council (TLC) meets monthly and is comprised of representatives from each SAFECode member. Its main objective is to drive SAFECode’s technical work – helping to launch and support small member groups focused on identifying and analyzing common best practices around various software security topics, and providing ongoing opportunities for members to learn from one another on software security issues and challenges. To reach the TLC, contact: [email protected]
SAFECode Marketing and Events
Looking to collaborate with SAFECode on an upcoming event or marketing imitative? Have a question about a recent promotion? SAFECode’s marketing and events team is always interested in hearing from our members. You can reach us here [email protected]
SAFECode Board of Directors
Need to reach our leadership team? The SAFECode Board of Directors is comprised of members from each of our Charter member companies and meets each month. You can reach them by contacting: [email protected]
SAFECode Technical Support
Having trouble with the SAFECode collaboration portal? See an issue on the website? Our Member Helpdesk can help: [email protected]