Greetings members! Spring is nearly here and there are many activities and initiatives are happening within the organization. Take a look and see what interests you. And if you want us to explore a topic you don’t see listed, give us a shout with your idea here.
Each month, SAFECode members have the opportunity to learn how their member peers are tackling common challenges in software and supply chain security via SAFECode’s virtual members-only webinar series. All sessions are one hour in length and include plenty of time for Q&A and discussion. Members are welcome to join us live or catch up with what they missed on-demand.
Approach and Deliverables
One session would discuss vendor questionnaires for off-the-shelf products and the other session would focus on cloud services. The work would result in the creation of short papers or blog post that could be leveraged by vendors to educate customers or by other industry initiatives as a reference for the creation of future standardized vendor questionnaires.
The term “supply chain security” is broadly used by governments, vendor and customer alike. However, it often refers to different classes of problems depending on who is using it:
The goal of the working group is to offer a taxonomy of supply chain security that lists the actual threats against supply chain and can help SAFECode communicate clearly with vendor, customers and governments.
The strategic goal of the Open Source Software Working Group (OSS WG) is to produce SAFECode deliverables that:
As a first deliverable of the OSS WG will be a list of the possible risk scenarios impacting open source software resulting in vulnerabilities or backdoors in the code integrating open source components. A useful reference for this first deliverable can be found here: Getting Serious About Open Source Security
Interested in representing SAFECode as a speaker at an industry event? We welcome this and have created this self-service speaker center to assist in your efforts. We only ask that you represent yourself as a SAFECode member when using these materials and promote and cite SAFECode’s work appropriately. Please visit the Member Portal in find a list of upcoming events and sample speaking abstracts. For questions, please contact us here.
At SAFECode, we members often compare notes on secure development practices that are proving effective in our individual software security efforts. One of the most commonly cited of these practices is fuzzing. Fuzzing, sometimes referred to as fuzz testing, is an automated software testing technique that involves providing invalid, unexpected, random, or semi-random data as input to a computer program. The program is then monitored for exceptions such as hangs, crashes, failing built-in code assertions, or potential memory leaks.
This Fuzzing series will discuss things such as: what types of fuzzing exist and which one to choose in a specific case; what tools are available for various languages and ecosystems; how and why to fuzz continuously; and, how fuzzing fits into the larger software development lifecycle.
SAFECode offers a number of ways for employees of member companies to collaborate with each other. The best way to stay apprised of these opportunities is by joining our Member portal. Our working groups are always open to new members Take a look below and reach out at [email protected] if you’d like to get involved.
SAFECode recently teamed up with the Cloud Security Alliance to launch a new working group that will tackle issues related to DevSecOps in pure Cloud environments. The working group will work to create a transparent and comprehensive software development and security management lifecycle that leverages all the components of DevSecOps and Security Champions to ensure timely and full functioning application deployment with security development practices integrated at every stage.
With the Fuzzing Working Group within SAFECode, we’re providing a high-level description of what Fuzzing is and the various types of Fuzzers and the Pros and Cons of each. We are also diving deep into what types of data can/should be Fuzzed and how. Furthermore, the Fuzzing Working Group will be shedding some light on the value of Fuzzing as well as the issues that can be found and mitigated by doing the proper Fuzzing technique.
Personal and Data Privacy
The Personal Data Privacy Group writes about topics concerning the awareness and protection of individual data and data-generating products. Individual user data is essentially digital ore: It can be collected, analyzed, refined, packaged into distinct products, and monetized. PDP blog is primarily focused on defining the elements of consumer digital footprints, and effective strategies to protect and secure that data. Personal Data Privacy is also an ethical and legal responsibility on behalf of consumers in the enterprise. Monthly, PDP explores the landscape of data topics from consumer IoT to data-aggregation and corporate data stewardship.
Post Quantum Crypto
As you know, the eventual move toward quantum computing will make some cryptographic algorithms obsolete. While we don’t quite know exactly when this shift will happen, it does raise a need to start thinking about the notion of “crypto-agility,” or the ability to move seamlessly from conventional cryptographic algorithms to the quantum-safe crypto algorithms. Though this discussion may seem focused on a topic for the distant future, SAFECode has been discussing NIST’s current efforts in this area and there are a number of post-quantum algorithm candidates already available for experimentation.
SAFECode’s RSA discussion on crypto-agility will focus primarily on the implications of post-quantum algorithms for developers. Some SAFECode members, including Microsoft, have already begun experimenting in this area and should have some important insights to share. The goal of the discussion is to support SAFECode members in their efforts to build-in crypto-agility, as well as define some concrete steps developers can take today to ensure their applications are ready for post-quantum cryptography.
Are you interested in expanding your training curriculum? SAFECode identifies and promotes best practices for developing and delivering more secure and reliable software, hardware and services. One of SAFECode’s missions is to create a solid base of foundation security knowledge across a product team utilizing the free software security training provided from SAFECode. Join this discussion group to share best practices and delve into how SAFECode can provide a skills path framework which would further the knowledge and training across member product teams.Is your company a Member and you have an idea for collaboration you don’t see here? Contact us today and we’ll give you the details on how to submit a new project, event, and working group ideas.
SAFECode Members can contact our Member Helpdesk for information on event sign-ups, working group opportunities, and any other questions they may have. For more specific inquiries, see below.
SAFECode Technical Leadership Council
The Technical Leadership Council (TLC) meets monthly and is comprised of representatives from each SAFECode member. Its main objective is to drive SAFECode’s technical work – helping to launch and support small member groups focused on identifying and analyzing common best practices around various software security topics, and providing ongoing opportunities for members to learn from one another on software security issues and challenges. To reach the TLC, contact: [email protected]
SAFECode Marketing and Events
Looking to collaborate with SAFECode on an upcoming event or marketing imitative? Have a question about a recent promotion? SAFECode’s marketing and events team is always interested in hearing from our members. You can reach us here [email protected]
SAFECode Board of Directors
Need to reach our leadership team? The SAFECode Board of Directors is comprised of members from each of our Charter member companies and meets each month. You can reach them by contacting: [email protected]
SAFECode Technical Support
Having trouble with the SAFECode collaboration portal? See an issue on the website? Our Member Helpdesk can help: [email protected]