SAFECode guide advises developers on secure practices
October 8, 2008 —
The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit industry-led organization, is preaching what it practices with a new security best-practices guide.
SAFECode’s “Fundamental Practices for Secure Software Development,” released today, is based on security measures taken by its member companies, which include EMC, Juniper, Microsoft, SAP and Symantec. It outlines secure development practices that can be applied across divergent development environments.
“[The guide] moves us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered,” said Paul Kurtz, executive director of SAFECode.
“Fundamental Practices for Secure Software Development” offers security practices for each phase of the development life cycle, defined by SAFECode as requirements, design, programming, testing, code handling and documentation. SAFECode said that during requirements definition, product managers should account for time to engage in secure development practices, and the development and QA staff should be trained in secure development prior to product release. The key to a secure software design process is threat analysis, which can find potential issues that might not be found with techniques like code reviews or static analysis.
“Threat analysis helps find issues before code is committed so they can be mitigated as early as possible in the software development life cycle,” SAFECode’s guide states. “For example, rather than wait for an analysis tool to potentially find injection vulnerabilities, it’s better for a development team to realize that their product may be vulnerable to these issues and put in place defenses and coding standards to reduce the risk from the start.”
To ensure security in the programming phase, SAFECode members said they minimize unsafe function use, work with static and dynamic analysis tools, do manual code review, and validate input and output.
Testing methods used by SAFECode members include fuzz testing, penetration testing and automated testing tools. Fuzz testing relies on building intentionally malformed data and seeing how the software responds when given that data. The code integrity phase should consist of least privilege access, separation of duties and chain of custody. Finally, the guide states that before deploying software, administrators should know the “security posture” of the software, including which ports to allow through a firewall or operating system changes.
“By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry advice for improving software security,” said Michael Howard, principal security program manager with Microsoft’s Trustworthy Computing Group.
Related Search Term(s): security, SAFECode
Share this link: http://sdt.bz/32955
Most Read Latest News Blog Resources
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Zeichick’s Take: Radio moves from analog waveforms to digital packets
Streaming radio highlights the need for streaming applications to be designed to take up as little bandwidth as possible
|
|
Appcelerator Acquires Cocoafish to Add Instant Mobile Cloud Capabilities to its Industry Leading Titanium Platform
Appcelerator Offers Messaging, Social, Location and Storage Mobile Cloud Services to All Mobile App Publishers
|
|
ComponentOne Releases a Collection of 40+ UI Widgets Powered by HTML5 and jQuery
ComponentOne has announced the 2012 release of Wijmo: a kit of UI widgets for HTML5 and jQuery development
|
Taking enterprise architecture to the business side
Startup Corso is bringing out a cloud-based planning platform that ties into business plans
|
|
Top five apps to manage your workload
Web applications offer new ways to track your “to-do” lists
|
|
Not so fast when it comes to testing in the cloud
Developers face outsourcing, virtual lab management and mobile devices as obstacles
|
|
Xceed releases UX-focused suite for Microsoft’s WPF
"Blendables" helps match user experiences to developer visions
|
Are you at risk for burnout?
Burnout is a severe problem and it can strike at any time. Here's how to tell if you are nearing the edge.
|
|
Agility, mom, and apple pie
If we're to evaluate the state-of-the-art in software development, we should start with the values espoused in the Agile Manifesto.
|
|
RIM woos developers with free tablet
How do you get more apps ported to the BlackBerry PlayBook? By giving every developer a free tablet, of course!
|
|
GitHire: Use Headhunters to Find Your Perfect Programmer
Are you a hiring manager tired of scouring the job boards? Check out this new service that will find 5 people interested in your jobs.
|
The Hidden Costs of Software Licensing
Moving beyond paper-based software licensing to more flexible, software-based licensing is a business decision. There is a growing trend tow...
|
|
Case Study: You May Need a Development Mechanic
As a contractor for a major financial player in Germany, SOBEGE, a German-based consultancy specializing in embedded IT and web services, wa...
|
|
Ensuring Software Quality at a Major International Bank
One of the world’s leading international banks has adopted AgitarOne technology for delivering generated unit tests for their Java software...
|
|
Load Testing Adobe Flex Applications
Adobe Flex applications may be different from applications you’ve worked with before. For classic HTML web applications, the server does all...
|