Channels ▼


SafeCode Releases Guidelines for Secure Code

The Software Assurance Forum for Excellence in Code (SAFECode) has released Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today. Based on an analysis of the individual software assurance efforts of SAFECode members, the freely available paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security.

The guide describes each identified security practice across the software development lifecycle -- Requirements, Design, Programming, Testing, Code Handling and Documentation -- and offers implementation advice based on the experiences of SAFECode members. (SAFECode members include EMC, Juniper Networks, Microsoft, Nokia, SAP AG, and Symantec.) The secure development practices defined in the paper are as diverse as the SAFECode membership, spanning web-based, shrink-wrapped and database applications, as well as operating systems and embedded systems.

"SAFECode has brought together some of the most experienced software assurance professionals in the industry to move us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered, " said Paul Kurtz, executive director of SAFECode. "We have documented and released these secure development practices in an effort to help others in the industry initiate or improve their own software assurance programs and encourage the industry-wide adoption of the secure development methods outlined in this paper. "

A review of the software assurance methods used by SAFECode's membership revealed that there are corresponding security practices that can improve software security and integrity for each stage of the software development lifecycle. The examination of these vendor practices reinforces the assertion that software assurance must be addressed throughout the software development lifecycle in order to be effective and not treated as a one-time event.

"Software vendors have both a responsibility and a business incentive to ensure product assurance and security," said Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft's Trustworthy Computing Group and a primary contributor to the paper. "By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry highly actionable advice for improving software security to the benefit of both our colleagues and customers."

The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.