Software assurance encompasses the development and implementation of methods and processes for ensuring that software functions as intended and is free of design defects and implementation flaws. The Software Assurance Forum for Excellence in Code (SAFECode) publishes the “SAFECode Fundamental Practices for Secure Software Development” to help others in the industry initiate or improve their own software assurance programs and encourage the industry-wide adoption of fundamental secure development practices. In 2018, a third edition was published, which updated and expanded the secure design, development and testing practices. The best practices in the guide apply to cloud-based and online services, shrink-wrapped software and database applications, as well as operating systems, mobile devices, embedded systems and devices connected to the Internet.
The inclusion of an EU-wide Information and Communications Technology certification framework as part of the new EU cybersecurity legislation has caused interest in the topic of security certification and evaluation. This paper is based on SAFECode members’ experience with security certifications, including lessons learned as well as recommendations for any new schemes.
Threat modeling, a key technique for architecting and designing systems securely, is a method that many SAFECode members employ. This paper leverages SAFECode members’ insights to offer effective ways to better integrate threat modeling and provides a great resource for organizations that are looking to integrate threat modeling into their own development processes and teams.
The use of third-party components (TPCs), including open source software (OSS) or commercial off-the-shelf (COTS) components, has become defacto standard in software development. This paper breaks down the process and procedures developers need in order to test, improve, and quantify the security of third party components.
This paper provides a framework for examining the secure development process of commercial technology providers It is designed to help readers select the most appropriate assessment method for their needs, and provides guidance to help them develop a process-based assessment for use in cases when an appropriate international standard does not apply
SAFECode and the Cloud Security Alliance (CSA) Release Guidance for the Secure Development of Cloud Applications
SAFECode and CSA partnered to determine whether additional software security guidance was needed to address unique threats to the cloud computing, and if so, to identify specific security practices in the context of identified threats. This report represents the product of that collaboration and is intended to help readers better understand and implement best practices for secure cloud software development.
SAFECode Releases Software Security Guidance for Agile Practitioners
This paper provides practical software security guidance to Agile practitioners in the form of security-focused stories and security tasks they can easily integrate into their Agile-based development environments. SAFECode has also made available quick reference guides from the paper for download.
A SAFECode Perspective on Leveraging Descriptive Software Security Initiatives
This brief paper provides SAFECode’s perspectives on the BSIMM and addresses the questions that we often get about how our guidance relates to the data released through the BSIMM effort.
Report Provides Foundational Set of Secure Development Practices Based on an Analysis of the Real-World Actions of SAFECode Members.
The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of fundamental secure development methods.
An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain.
The new report provides actionable recommendations for minimizing the risk of vulnerabilities being inserted into a software product during its sourcing, development and distribution.
First industry-driven framework for analyzing and describing the efforts of software suppliers to mitigate the potential that software could be intentionally compromised during its sourcing, development or distribution.
A Framework for Corporate Training Programs on the Principles of Secure Software Development
Based on an analysis of the individual software assurance efforts of SAFECode members, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security.
The report outlines the secure development methods and integrity controls currently used by SAFECode members to deliver high-assurance systems to government and commercial customers.