The Software Assurance Forum for Excellence in Code (SAFECode) has released Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today. Based on an analysis of the individual software assurance efforts of SAFECode members, the freely available paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security.
The guide describes each identified security practice across the software development lifecycle -- Requirements, Design, Programming, Testing, Code Handling and Documentation -- and offers implementation advice based on the experiences of SAFECode members. (SAFECode members include EMC, Juniper Networks, Microsoft, Nokia, SAP AG, and Symantec.) The secure development practices defined in the paper are as diverse as the SAFECode membership, spanning web-based, shrink-wrapped and database applications, as well as operating systems and embedded systems.
"SAFECode has brought together some of the most experienced software assurance professionals in the industry to move us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered, " said Paul Kurtz, executive director of SAFECode. "We have documented and released these secure development practices in an effort to help others in the industry initiate or improve their own software assurance programs and encourage the industry-wide adoption of the secure development methods outlined in this paper. "
A review of the software assurance methods used by SAFECode's membership revealed that there are corresponding security practices that can improve software security and integrity for each stage of the software development lifecycle. The examination of these vendor practices reinforces the assertion that software assurance must be addressed throughout the software development lifecycle in order to be effective and not treated as a one-time event.
"Software vendors have both a responsibility and a business incentive to ensure product assurance and security," said Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft's Trustworthy Computing Group and a primary contributor to the paper. "By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry highly actionable advice for improving software security to the benefit of both our colleagues and customers."
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.