FOR IMMEDIATE RELEASE
SAFECode Shares Experiences with Security Engineering Training
New Paper Offers a Framework for Corporate Training Programs on Secure Software Development
Arlington, Va. and San Francisco (RSA Conference) – April 20, 2009 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released a paper outlining a framework for corporate training programs on the principles of secure software development. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.
“Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development” outlines the fundamentals of a security engineering training program based on an analysis of the shared experiences of SAFECode members. It is not meant to provide a curriculum, but rather a framework that can be put into place to facilitate successful training initiatives across diverse corporate cultures, development environments and product requirements. Companies can use the framework to focus on the knowledge and skills that are most important to the needs of their programs, and thus meet their corporate objectives.
“Ensuring that every person involved in defining and building software applications has the security knowledge required to do it in a secure manner is fundamental to the success of software assurance programs,” said Reeny Sondhi, Senior Manager, Product Security Assurance, EMC Corporation and a key contributor to the paper. “By sharing their security training practices, the SAFECode members are making available to the software development community a proven approach to train software developers on secure development practices.”
An analysis of the software assurance programs of SAFECode members revealed that each successful effort has been supported by internally developed security engineering training directed at those responsible for the development of the software they produce, including product managers, project managers, architects/designers, developers and testers. While the review of the training efforts of SAFECode members demonstrated that internal training programs are most effective when customized to unique corporate needs, the programs share common elements that can greatly contribute to overall success. The most important of these was the need to create a solid base of foundational knowledge across the entire product team. Every SAFECode member has found that this level of awareness training is critical to establishing a security-aware culture and changing the specific behaviors of developers and assurance professionals.
“The lack of security engineering awareness and education among the software engineering workforce can be a significant obstacle to information and communications technology corporations working to implement effective software assurance programs,” said Paul Kurtz, Executive Director of SAFECode. “While not a replacement for formal security engineering education at the college and university level, the experiences shared by SAFECode members in this paper reveal the important role corporate training programs play in the effort to advance software assurance.”
A full copy of “Security Engineering Training: A Framework for Corporate Training Programs on the Principles of Secure Software Development” is available for free download at http://safecode.wpengine.com/publications.php. SAFECode will update the paper periodically to reflect changes in the software assurance landscape and its work on advancing security engineering education and training.
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecodedev.wpengine.com.
Product and service names mentioned herein are the trademarks of their respective owners.