[ISN] SAFECode on software assurance

From: InfoSec News (alerts@private)
Date: Thu Feb 14 2008 - 09:34:25 PST


http://www.gcn.com/online/vol1_no1/45811-1.html

By William Jackson
GCN.com
02/13/08

An information technology industry group formed to develop and share 
best practices for secure software development has released its first 
paper, outlining the core practices being used by member companies.

The Software Association Forum for Excellence in Code (SAFECode) was 
announced in October as a way to enhance communications between software 
companies. Many companies have internal programs to improve the quality 
of the code they are producing, but a lack of communications has limited 
their effectiveness, said former White House cybersecurity adviser Paul 
Kurtz, executive director of SAFECode.

The paper [1], titled Software Assurance: An Overview of Current 
Industry Best Practices, is the groups first product.

As the initial step in our efforts, SAFECode has identified the 
assurance best practices that have proven to be effective across its 
member companies, Kurtz said.

Founding members of SAFECode are EMC, Juniper Networks, Microsoft, SAP 
and Symantec.

The group acknowledged the difficulty of prescribing security processes 
across the technology industry. Not surprisingly, there is no single 
method for driving security and integrity into and across the globally 
distributed processes that yield technology products and services, the 
report said. Yet, regardless of the method used, there is a core set of 
best practices for software assurance and security that apply to diverse 
development environments.

?By sharing this information, we hope to encourage the adoption of these 
types of practices by other software developers and respond to the 
growing customer desire for greater visibility into the steps technology 
vendors are taking to continually improve the security of their 
products, Kurtz said.

The paper identifies and explains security best practices and controls 
currently used by SAFECode members:

    * Security training: A prerequisite to coding secure software is for 
      engineers to be knowledgeable about information security issues 
      affecting users.

    * Defining security requirements: Requirements must be defined in 
      the early stages of product development.

    * Secure design: The early design phase must identify and address 
      potential threats to the application and ways to reduce those 
      risks.

    * Secure coding: The product development team must implement secure 
      programming practices.

    * Secure source code handling: The integrity and confidentiality of 
      source code must be protected.

    * Security testing: Specialized validation should be implemented to 
      ensure that security requirements, secure design and coding 
      guidelines are followed.

    * Security documentation: Documentation for users should help 
      customers understand how to optimally configure security controls, 
      and how configuration options could produce potential security 
      vulnerabilities.

    * Security readiness: Prior to releasing a product, the application 
      developer must evaluate, document and assess risks posed by 
      potential security gaps in the product.

    * Security response: An incident response mechanism must be in place 
      to relay reports of security vulnerabilities (exploited or not) 
      after the product is released to the product development or 
      sustaining teams for mitigation.

    * Integrity verification: Products must offer customers methods to 
      verify that the software they have acquired is from their trusted 
      vendor.

    * Security research: Ongoing research should be conducted into new 
      threat vectors and ways to mitigate them.

    * Security evangelism: Leaders in the area of software assurance 
      should promote the use of best practices by discussing their 
      practices and findings in open forums, articles, papers and books.

Vendors who have implemented these best practices have seen dramatic 
improvements in software product assurance and security, Kurtz said.

Beyond development by the vendor, the paper also outlines the 
responsibilities of integrators, who must work with vendors to mitigate 
vulnerabilities that could be introduced when an application is 
integrated into a heterogeneous environment; operators, who must ensure 
that systems remain properly configured and patched and protect them 
from intrusion; and end users, who should report bugs and not introduce 
untrusted software into systems.

[1] http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 



This archive was generated by hypermail 2.1.3 : Thu Feb 14 2008 - 09:49:50 PST