LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 7/1/2009 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
Is the mystery Borland suitor Serena?
Borland software is considering an offer from another company after a preliminary deal with MicroFocus. Is Serena the new company?
06/30/2009 01:55 PM EST

Windows 7 - An eBayer's dream product?
Windows 7 pre-orders can make people money on eBay.
06/29/2009 03:48 PM EST

Know thine cloud provider
Cloud computing require companies to understand compliance and regulation. Third parties will play a big role in regulated industries.
06/29/2009 02:58 PM EST

 

Microsoft Worldwide Partner Conf.
7/13/2009 to 7/16/2009
New Orleans
Microsoft

OSCON (Open Source Convention)
7/20/2009 to 7/24/2009
San Jose
O'Reilly Media

XBRL Technology Workshop & Summit
7/28/2009 to 7/30/2009
Santa Clara
XBRL US

ACM SIGGRAPH
8/3/2009 to 8/7/2009
New Orleans
ACM SIGGRAPH

OpenSource World (formerly LinuxWorld)
8/12/2009 to 8/13/2009
San Francisco
IDG World Expo


 
print Printable version 
Most Read Latest News Blog Resources
Kapow automates website data retrieval
Kapow Technology's Web Data Server 7.0 can be used to create modules that navigate through...

Oracle's Fusion 11g lays groundwork for ERP platform
Fusion's components are standards-based and integrated, but some abilities are lost if non...

COBOL’s future lies in the clouds
After 50 years of use in businesses, COBOL is still lingering around mainframes. But the s...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

SAFECode guide advises developers on secure practices


By Jeff Feinman
October 8, 2008 — 
The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit industry-led organization, is preaching what it practices with a new security best-practices guide.

SAFECode’s “Fundamental Practices for Secure Software Development,” released today, is based on security measures taken by its member companies, which include EMC, Juniper, Microsoft, SAP and Symantec. It outlines secure development practices that can be applied across divergent development environments.

“[The guide] moves us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered,” said Paul Kurtz, executive director of SAFECode.

“Fundamental Practices for Secure Software Development” offers security practices for each phase of the development life cycle, defined by SAFECode as requirements, design, programming, testing, code handling and documentation. SAFECode said that during requirements definition, product managers should account for time to engage in secure development practices, and the development and QA staff should be trained in secure development prior to product release. The key to a secure software design process is threat analysis, which can find potential issues that might not be found with techniques like code reviews or static analysis.

“Threat analysis helps find issues before code is committed so they can be mitigated as early as possible in the software development life cycle,” SAFECode’s guide states. “For example, rather than wait for an analysis tool to potentially find injection vulnerabilities, it’s better for a development team to realize that their product may be vulnerable to these issues and put in place defenses and coding standards to reduce the risk from the start.”

To ensure security in the programming phase, SAFECode members said they minimize unsafe function use, work with static and dynamic analysis tools, do manual code review, and validate input and output.

Testing methods used by SAFECode members include fuzz testing, penetration testing and automated testing tools. Fuzz testing relies on building intentionally malformed data and seeing how the software responds when given that data. The code integrity phase should consist of least privilege access, separation of duties and chain of custody. Finally, the guide states that before deploying software, administrators should know the “security posture” of the software, including which ports to allow through a firewall or operating system changes.

“By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry advice for improving software security,” said Michael Howard, principal security program manager with Microsoft’s Trustworthy Computing Group.


Related Search Term(s): securitySAFECode


Share this link: http://www.sdtimes.com/link/32955
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading