Software security assurance: Everybody’s invited
As more and more things in this world of ours run on software, software security assurance – i.e. confidence that software is free from vulnerabilities (either intentional or not) and functions as intended – is becoming more important than ever.
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization that aims to increase that confidence and the trust users have in information and communications technology products and services.
SAFECode’s work to date
“We believe that there are three audiences involved in software security assurance: development organizations, individual developers, and customers who use software. For organizations, our biggest success is creating actionable guidance for making their software more secure. For developers our biggest success is providing free online training that enables them to know what they should and shouldn’t do to improve software security assurance. And for customers, we provide guidance that helps them tell whether their suppliers are taking action to deliver secure software,” Steve Lipner, the organization’s executive director, told Help Net Security.
He says that SAFECode’s most significant achievement to date is establishing itself as the industry’s trusted source of information about software security assurance.
Lipner, who has more than four decades of experience in software security assurance, has recently succeeded Howard Schmidt, another information security luminary, in the position of director of SAFECode.
But even without this new mission, his contribution to software assurance is great. Among other things, he is the creator and was a long-time leader of Microsoft’s Security Development Lifecycle (SDL) team.
“The SDL made a big difference in the way that Microsoft designed and built software, but our decision to share the specifics of the SDL process as well as some of the tools we used, helped to jumpstart software security assurance across the industry. Both the specifics of the SDL and the broader fact that an organization like Microsoft could adopt a secure development process provided good examples for the industry,” he noted.
“A number of the SAFECode members have acknowledged that they started their software security assurance processes by emulating the SDL, and I’ve always thought that was a real success of the process.”
The benefits of being a SAFECode member
SAFECode counts among its members some of the world’s largest technology companies, including Microsoft, Intel, CA, and Adobe.
Lipner believes that the biggest benefit of being a SAFECode member is the opportunity to collaborate with other organizations that are also committed to software security assurance – under nondisclosure when that’s appropriate.
“We’ve found that different organizations discover different problems and come up with different approaches and solutions. So collaboration across organizations is a great way to benefit from peers’ ‘lessons learned’ and improve your own practices without reinventing the wheel,” he pointed out.
“Equally beneficial is the opportunity for SAFECode members to give back to the industry and share their knowledge by contributing to the free guidance documents and online training that SAFECode provides to the community.”
The organization’s plan is to continue serving all three audiences – development organizations, developers, and users – with more guidance and training. As Lipner rightly pointed out, security is a journey, not a destination, and they are committed to continuing to raise the bar.
Tips for developers and development leaders
Lipner believes that the biggest obstacles to implementing secure coding practices are that developers aren’t aware that they need to be writing secure code (even if they are not writing security software), and that many development leaders can be overwhelmed by the challenge of deciding what they should be doing about security.
“If your education didn’t tell you what writing secure software means, look at the SAFECode online training materials,” he advised individual developers.
“Read about some of the ways that software security goes wrong (e.g. CERT advisories, vendor security bulletins) and take those as ‘lessons learned’ that will help you understand what to do and not to do as you’re developing code. Contact SAFECode and read our guidance documents, as they reflect the collected experiences and wisdom of some of the industry’s leading software security experts.”
Development leaders can use the SAFECode guidance documents to help plan their next steps.
For example, two recent white papers created by SAFECode members on threat modeling and third-party components were inspired by real world industry needs as organizations design and build complex software and seek to rely on code they didn’t develop to achieve efficiency without sacrificing security.