SAFECode Releases Updated Guidance on Secure Development Practices

FOR IMMEDIATE RELEASE

SAFECode Releases Updated Guidance on Secure Development Practices

Report Provides Foundational Set of Secure Development Practices Based on
an Analysis of the Real-World Actions of SAFECode Members

New Edition Outlines Methods to Help Managers Verify that Development Teams Followed Prescribed Security Practices

Arlington, Va. – February 8, 2011 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released the second edition of “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.” The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of fundamental secure development methods. The paper was jointly developed by SAFECode’s members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As with the original, this latest report from SAFECode is not meant to be a comprehensive guide to all possible secure development best practices. Rather it is meant to provide a foundational set of “practiced practices” that have been shown to be effective in improving software security in real-world implementations by SAFECode members even across diverse development environments.

“It has been more than two years since we released our first paper on secure development practices,” said Paul Kurtz, executive director of SAFECode. “In that time, the process of building secure software has continued to evolve and improve alongside innovations and advancements in the information and communications technology industry. The second edition of the paper aims to disseminate the new knowledge SAFECode has gathered, and provide new tools and improved guidance for those implementing the paper’s recommended practices.”

In addition to providing updated security practices that should be applied during the design, development and testing activities in the software development lifecycle, the new edition of the report aims to address an important challenge for those managing software security programs – the need to verify that the development teams followed prescribed security practices. For each listed practice, SAFECode has included verification methods and tools that can be used to help confirm whether a practice was applied. Further, SAFECode has included Common Weakness Enumeration (CWE) references for each practice to provide a more detailed illustration of the security issues these practices aim to resolve.

“Software vendors have both a responsibility and a business incentive to ensure software security,” said Kurtz. “SAFECode encourages software developers to not only consider, tailor and adopt the practices outlined in this paper, but to also continue to contribute to a broad industry dialogue on advancing secure software development.”

SAFECode will continue to review and update the practices in this paper based on the experiences of its members and the feedback from the industry and other stakeholders. To this end, SAFECode encourages comments and contributions, especially to the newly added work on verification methods. To contribute, please visit www.safecodedev.wpengine.com

The second edition of the “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today” is available for free download at http://safecode.wpengine.com/publications/SAFECode_Dev_Practices0211.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecodedev.wpengine.com.

Product and service names mentioned herein are the trademarks of their respective owners.

###