In October 2007, a group of leading technology providers came together to address the increasing concerns over the security of commercial technology products. While individual companies were actively implementing effective methods for developing and delivering more secure and reliable software, there was no coordinated, industry-led effort to identify, improve and communicate software security practices to promote software security across the technology ecosystem. To fill this critical gap and foster software security collaboration among technology providers, they created SAFECode (formerly known as the Software Assurance Forum for Excellence in Code). As a non-profit organization, SAFECode would bring together subject matter experts to identify and share proven software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and drive clarity into vendor software assurance practices to empower customers and other key stakeholders to better manage risk.
“Software assurance is a critical element of IT ecosystem security. By building on the positive work already done in this area by individual firms and encouraging broader adoption of proven best practices for the development and delivery of more secure technology products and services, SAFECode has a unique opportunity to significantly impact the overall security and reliability of the cyber infrastructure,” said Paul Kurtz, founding executive director of SAFECode. “With the support of its founding members, SAFECode will work to meet the growing demand for information and dialogue on software assurance and increase the trust in IT and communications products and services.”
At its founding, SAFECode members included information and communications technology vendors with significant global business activity in IT technology products such as hardware, software and services who had demonstrated a commitment and dedicated resources to software assurance. Given the natural sensitivities around sharing security information, SAFECode devised a unique NDA-protected collaborative environment that enables more open information sharing among its members. While member collaboration was protected, the results of those efforts are shared with a broader community in an effort to support and promote secure development practices industrywide.
SAFECode has since published a number of influential publications offering software security guidance, led by its flagship paper Fundamentals of Secure Software Development, which has been cited in numerous well-respected policy and technical papers in both the US and Europe. With the support of member Adobe, SAFECode was also able to provide the community with a number of free, professionally-produced security engineering training courses to help companies of all sizes create a software security training program for their product development and management teams.
As the organization evolved, it added Associate Members to open SAFECode membership to smaller organizations and extend collaboration to a more diverse sampling of the technology companies, consultants and users that create, secure and use software. Today, these members make up a significant part of SAFECode’s technical working groups and contributors, playing a key role in the development of its technical guidance and industry publications. Its leadership has included some of the most recognized experts in cyber security, including Paul Kurtz, the late Howard Schmidt, and today, Steven Lipner, who is widely recognized in the technology community as the “Father of the SDL.”
While SAFECode is neither a standards body nor a lobbying association, it is proud of the fact that its published guidance has been used to inform a number of prominent industry and government efforts to address software security over the past decade. As it looks toward the future, SAFECode is committed to continuing to bring business leaders and technical experts together to exchange insights and ideas on creating, improving and promoting scalable and effective software security programs. SAFECode remains dedicated to its belief that secure software development can only be achieved with an organizational commitment and the execution of a holistic assurance process, and that sharing information on that process and the practices it encompasses is the most effective way for software providers to help customers and other stakeholders manage application security risk.