FOR IMMEDIATE RELEASE
SAFECode Releases Guide to Secure Development Practices
New Paper Identifies Secure Development Methods that have Proven Applicable and Effective across Diverse Environments
Arlington, Va. – Oct. 08, 2008 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.” Based on an analysis of the individual software assurance efforts of SAFECode members, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.
“SAFECode has brought together some of the most experienced software assurance professionals in the industry to move us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered,” said Paul Kurtz, executive director of SAFECode. “We have documented and released these secure development practices in an effort to help others in the industry initiate or improve their own software assurance programs and encourage the industry-wide adoption of the secure development methods outlined in this paper.”
A review of the software assurance methods used by SAFECode’s highly diverse membership revealed that there are corresponding security practices that can improve software security and integrity for each stage of the software development lifecycle. The examination of these vendor practices reinforces the assertion that software assurance must be addressed throughout the software development lifecycle in order to be effective and not treated as a one-time event.
To aid others within the software industry in adopting and using these secure development best practices effectively, Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today describes each identified security practice across the software development lifecycle – Requirements, Design, Programming, Testing, Code Handling and Documentation – and offers implementation advice based on the experiences of SAFECode members. The secure development practices defined in the paper are as diverse as the SAFECode membership, spanning web-based, shrink-wrapped and database applications, as well as operating systems and embedded systems.
“Software vendors have both a responsibility and a business incentive to ensure product assurance and security,” said Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft’s Trustworthy Computing Group and a primary contributor to the paper. “By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry highly actionable advice for improving software security to the benefit of both our colleagues and customers.”
A full copy of Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today is available for download at http://safecode.wpengine.com/publications/SAFECode_Dev_Practices1108.pdf
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecodedev.wpengine.com.
Product and service names mentioned herein are the trademarks of their respective owners.