Steve Lipner on Software Security Best Practices for Developers

During a wide-ranging interview on a recent episode of “Security Weekly” – a security podcast hosted by Paul Asadoorian – SAFECode’s Steve Lipner discussed how organizations and developers can take advantage of SAFECode’s new threat modeling and third party component best practices white papers. Here are some of Steve’s insights from the discussion. To hear the full podcast, visit here.

 

Advice for companies responsible for securing the software they deliver

For organizations that aim to deliver secure code, the papers provide an understanding of some fundamental aspects of building software securely and ensuring supply chain security. Managing Security Risks Inherent in the Use of Third-party Components and SAFECode Tactical Threat Modeling provide guidance and real-world examples that help any size organization implement a strong software and supply chain security strategy. The papers are an addition to SAFECode’s free resources on the fundamental practices involved in a secure development program.

 

Helping staff get up to speed on security

SAFECode training provides an organization’s developers, not just its security people, with guidance on how to build secure software. In terms of how you instill in developers the skills they need, it’s important to give them concrete guidance. SAFECode offers a number of resources on the SAFECode homepage, including free online training material that developers can download and use to boost their skills.

 

The new threat modeling and third party component papers

The papers that we just released are a great introduction to implementing an approach to threat modeling that works in your organization and to using third-party components without taking unacceptable security risks. These are both areas where the development team and the security team can work together to apply best practices and identify and address architecture and design issues that either team alone might not be able to find.

 

By giving developers, and not just your security specialists, a leg up in terms of being able to look at a design, review its data flow diagram and then understand its implications as part of a threat model, organizations can help ensure their development team will find threats and concerns that a security team might not otherwise have noticed. Pairing these two teams up creates an integrated unit that will help strengthen an organization’s software security assurance practices.