Member Information

This section of the website is designed to support current SAFECode members. If your company is a member of SAFECode, feel free to contact our Member Helpdesk for more information on anything you see on this page. Not sure if you are a Member? Check your membership status here. Like what you see on this page but not currently a Member? Learn more about joining the collaboration.

This Month’s Highlights

Taking a Brown Bag Break!
Our Member Brown Bag series may be taking a break for summer, but it is the perfect time to catch up on any sessions you missed. Find these past webinars on-demand.

  • Addressing the Gap Between Security Policies and Execution: Many organizations have established a set of common security best practices for their project teams. However, making these security practices relevant to the business needs of the organization continues to challenge even the most experienced security leaders. Typically, business stakeholders want to discuss security in terms of resiliency and risk management policies, but project teams want to talk in the more concrete language of operating procedures. Addressing this commonly found gap requires a “policy to procedure” pipeline that encompasses and connects both business policy and project operational needs. This Brown Bag session will describe practical steps an organization can take to build this “policy to procedure” pipeline and better address the needs of both sides.
  • Dynamic Languages and the Peril of Dependency Nightmares: Today’s fast-paced development environment using Python, Node.js (and others) is a path fraught with danger. From uncurated repositories to small packages pulling in hundreds if not thousands of dependencies, there is a need to be more aware of the potential dangers. Years ago, left-pad on npm was removed by a developer which ultimately brought down high profile projects around the world. Three years later, malware was injected into a library that affected thousands of additional projects. This webinar will show you how you can take steps to lower the risk of attacks on your projects.
  • Choosing Better Open Source Packages: Everyday developers look on the web to find open source software to perform tasks. We always know that someone has written it already so we should just reuse it. But Many of the developers of these packages tell us right from the beginning not to use the software they have written. This presentation will show how taking a few minutes up front and doing a tiny bit of due diligence will save you engineering hours on the back end…
  • Backdoor Detection in Open Source Software: Attempts to backdoor popular open source components like NPM and PyPi, along with attacks on Docker and Debian Aptitude repositories are on the rise. We started looking for ways to identify and protect Microsoft from these types of attacks. Through our research, we demonstrated a low-cost solution to identify patterns that could be indicators of backdoor behavior but discovered that this was not sufficient to determine backdoor intent vs insecure coding. In this presentation, we’ll define our working definition of a backdoor, summarize our work to date, the focus of our next phase of research and solicit feedback and input for future research.

Contact the Member Helpdesk for more information and to register

Be Sure to Follow us on Twitter!
Are you following us on Twitter? If not, make sure to tune in this summer – @SAFECode. We’ll be highlighting some of the basics covered in our training courses each Tuesday with our Tip Tuesday series. And you might start seeing some familiar faces on Thursdays as we ask members of our TLC to share insights on a wide range of topics in software security for TLC Thursdays. We’d love to have you follow us and join the conversation. And if you’d like to share a tip or participate in our TLC series, reach out to us at [email protected]

Fundamentals of Managing Software Security
A key principle guiding SAFECode’s work is our belief that secure software development can only be achieved with an organizational commitment and a holistic assurance process. But what does that mean in practice? Simply put, it means that a mature secure development lifecycle (SDL) includes more than just a checklist of secure development practices. It also encompasses all aspects of a healthy business process, such as program management, stakeholder engagement, deployment planning, program measurement, and continuous improvement. This month, we continue our blog series on the Fundamentals of Managing Software Security. Check out recent posts on Culture Development and Training and look for more coming soon.

In Case You Missed It: Industry News
The Business Software Alliance recently released The BSA Framework for Software Security. The document aims to provide a consolidated framework that brings together best practices in a manner that can be effectively described and communicated, regardless of the development environment or the purpose of the software. Read more about the BSA Framework and SAFECode’s role in supporting its development on our blog.

 

Collaborate with Your Peers at Other Member Companies

SAFECode offers a number of ways for employees of member companies to collaborate with each other. The best way to stay apprised of these opportunities is by joining our Member portal. You can also join a standing working group initiative by contacting the Member Helpdesk. Current opportunities are listed below:

By The Numbers
Join this group to help develop and conduct member company surveys regarding secure development practices, the findings of which will be published in an annual report for members and will feed future projects. The team is currently focused on using data to characterize and understand the secure development training/learning programs across member companies. The By the Numbers Group has been developing a member survey to characterize and understand the secure development training / learning programs across member companies. We meet every other week, and will be sending the survey out this summer.

DevSecOps
SAFECode recently teamed up with the Cloud Security Alliance to launch a new working group that will tackle issues related to DevSecOps in pure Cloud environments. The working group will work to create a transparent and comprehensive software development and security management lifecycle that leverages all the components of DevSecOps and Security Champions to ensure timely and full functioning application deployment with security development practices integrated at every stage.

Open Source Evaluation
Attempts to backdoor popular open source components like NPM and PyPi, along with attacks on Docker and Debian Aptitude repositories are on the rise. Research has been presented that demonstrated that it’s possible to identify some patterns in code that could be indicators of backdoor behavior. However, this alone proved insufficient to determine malicious backdoor intent vs insecure coding. How to identify backdoor intent, along with other ideas to identify indicators of backdoor behavior in Open Source Software will be discussed in this group.

Fuzzing Techniques
With the Fuzzing Working Group within SAFECode, we’re providing a high-llevel description of what Fuzzing is and the various types of Fuzzers and the Pros and Cons of each. We are also diving deep into what types of data can/should be Fuzzed and how. Furthermore, the Fuzzing Working Group will be shedding some light on the value of Fuzzing as well as the issues that can be found and mitigated by doing the proper Fuzzing technique.

Personal and Data Privacy
The Personal Data Privacy Group writes about topics concerning the awareness and protection of individual data and data-generating products. Individual user data is essentially digital ore: It can be collected, analyzed, refined, packaged into distinct products, and monetized. PDP blog is primarily-focused on defining the elements of consumer digital footprints, and effective strategies to protect and secure that data. Personal Data Privacy is also an ethical and legal responsibility on behalf of consumers in the enterprise. Monthly, PDP explores landscape of data topics from consumer IoT to data-aggregation and corporate data stewardship.

Security Summit
In 2019, we have yet to produce a scientific basis for application security. It is still largely an art and vulnerabilities keep happening. The Security Summit WG is working on an industry roundtable with a pre-determined agenda for academics and practitioners to share and present around Security Science. The goal is to extend the Software Security Body of Knowledge through academic/industry collaboration and production of practically useful material based on scientific rigor. In addition to SAFECode members, the group has reached out to academic institutions, industry groups, and the IEEE to gauge interest in a joint effort. So far the response has been positive.

Skills Assessment Framework
There are many skills and skills management issues in software security, including the need to quickly identify a person’s current skillset against a baseline skillset in order to hire better employees, up-skill existing and transferring employees, and create knowledge ‘journeys’ for current skilled people. This group will work together to explore the development of a series of documents or worksheets that allow a company to create their own Skills Assessments and Knowledge Journeys based on the standards provided by SAFECode. It will also consider a deliverable describing how SAFECode member companies manage skills assessment in their own organizations.

Actions: The actions needed to create a skills assessment are:

  • Create a list of fundamental (baseline) skills (note that this could, and maybe should be broken down by specific job role)
  • Create lists of optimal skill sets by job role subcategories
  • Create one or more skills assessment questionnaires
  • Create ‘knowledge journeys’ for the job roles

An optimal outcome is a series of documents or worksheets that allow a company to create their own Skills Assessments and Knowledge Journeys based on the standards provided by SAFECode. A less optimal (but valid) outcome is a document describing how SAFECode member companies achieve answer the Needs (above) in their organizations.

Is your company a Member and you have an idea for collaboration you don’t see here? Contact us today and we’ll give you the details on how to submit a new project, event, and working group ideas.

 

Member Helpdesk

SAFECode Members can contact our Member Helpdesk for information on event sign-ups, working group opportunities, and any other questions they may have. For more specific inquiries, see below.

SAFECode Technical Leadership Council
The Technical Leadership Council (TLC) meets monthly and is comprised of representatives from each SAFECode member. Its main objective is to drive SAFECode’s technical work – helping to launch and support small member groups focused on identifying and analyzing common best practices around various software security topics, and providing ongoing opportunities for members to learn from one another on software security issues and challenges. To reach the TLC, contact: [email protected]

SAFECode Marketing and Events
Looking to collaborate with SAFECode on an upcoming event or marketing imitative? Have a question about a recent promotion? SAFECode’s marketing and events team is always interested in hearing from our members. You can reach us here [email protected]

SAFECode Board of Directors
Need to reach our leadership team? The SAFECode Board of Directors is comprised of members from each of our Charter member companies and meets each month. You can reach them by contacting: [email protected]

SAFECode Technical Support
Having trouble with the SAFECode collaboration portal? See an issue on the website? Our Member Helpdesk can help: [email protected]

Copyright © 2007- Software Assurance Forum for Excellence in Code (SAFECode) – All Rights Reserved
Privacy Policy