CHANNELS
HOME
TOP STORIES
COLUMNS
OPINIONS
ZEICHICK'S TAKE
EMBEDDED NEWS
TEST & QA REPORT
ECLIPSENEWS
WHITE PAPERS
SPECIAL REPORTS
SD TIMES 100
ADVERTISE
 
 
 
 
JOB BOARD
EVENTS CALENDAR
EDITORIAL CALENDAR 08
ALM
SHAREPOINT
RESOURCE CENTER
WEBINAR CENTER
ADVANCED SEARCH
  RSS
 
 
 
 
ON THE WEB
SITE MAP
EDITORIAL
PRIVACY POLICY
CONTACT US
REPORT A BUG
 
 
 
 
PRINT EDITION
SUBSCRIBE NOW!
CURRENT ISSUE
BACK ISSUES
SUBSCRIBER SERVICES
 
 
 
 
BZ MEDIA
ABOUT US
NEWS
BZ RESEARCH
SYSMANNEWS
ST&P MAGAZINE
STPCON
ECLIPSEWORLD
 
 
 
 
ADVERTISER LINKS
activePDF
Alexsys
Altova
Amyuni Technologies
Automated QA
Axosoft
Business Objects
Codejock Software
ComponentOne
Coverity
Data Dynamics
Developer Express
dtSearch
Dundas
Dynamsoft
Electric Cloud
Hewlett-Packard
IBM
Imagix
Infragistics
InstallAware Software
InterSystems
iWay
Kovair
LEAD Technologies
McObject
Microsoft
MKS
No Magic
nsoftware
OpenMake Software
Parasoft
Pegasus Imaging Corp
Perforce
Prezza Technologies
Programmer's Paradise
Programming Research
Rally Software Dev
Red Gate Software
ScaleOut
Seapine
Serena
Software FX
Sparx Systems
Swell Software
Syncfusion
TechExcel
Telelogic
Telerik
UrbanCode
WANdisco
Xceed Software
 
 
 
 
 
 

AS OF 12/4/2008 12:42AM EST
SAFECode guide advises developers on secure practices
Stories Columns Opinions Resources
Microsoft makes 'M' interoperable with OMG software
Although Microsoft did not adopt OMG's MetaObject Facility specification, the M modeling l...

TeamCity 4.0 breaks down build procedures for testing
JetBrains' latest continuous integration server and distributed build manager can evaluate...

IBM releases Jazz-based requirements definition tool set
Rational Requirements Composer brings requirements definition to the beginning of the life...

Web services debate: SOAP up or REST easy?
With Web 3.0 approaching, developers are weighing the costs and benefits of SOAP (and its ...


By Jeff Feinman

October 8, 2008 —  The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit industry-led organization, is preaching what it practices with a new security best-practices guide.

SAFECode’s “Fundamental Practices for Secure Software Development,” released today, is based on security measures taken by its member companies, which include EMC, Juniper, Microsoft, SAP and Symantec. It outlines secure development practices that can be applied across divergent development environments.

“[The guide] moves us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered,” said Paul Kurtz, executive director of SAFECode.

“Fundamental Practices for Secure Software Development” offers security practices for each phase of the development life cycle, defined by SAFECode as requirements, design, programming, testing, code handling and documentation. SAFECode said that during requirements definition, product managers should account for time to engage in secure development practices, and the development and QA staff should be trained in secure development prior to product release. The key to a secure software design process is threat analysis, which can find potential issues that might not be found with techniques like code reviews or static analysis.

“Threat analysis helps find issues before code is committed so they can be mitigated as early as possible in the software development life cycle,” SAFECode’s guide states. “For example, rather than wait for an analysis tool to potentially find injection vulnerabilities, it’s better for a development team to realize that their product may be vulnerable to these issues and put in place defenses and coding standards to reduce the risk from the start.”

To ensure security in the programming phase, SAFECode members said they minimize unsafe function use, work with static and dynamic analysis tools, do manual code review, and validate input and output.

Testing methods used by SAFECode members include fuzz testing, penetration testing and automated testing tools. Fuzz testing relies on building intentionally malformed data and seeing how the software responds when given that data. The code integrity phase should consist of least privilege access, separation of duties and chain of custody. Finally, the guide states that before deploying software, administrators should know the “security posture” of the software, including which ports to allow through a firewall or operating system changes.

“By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry advice for improving software security,” said Michael Howard, principal security program manager with Microsoft’s Trustworthy Computing Group.


Related Search Term(s): securitySAFECode


Share this link: http://www.sdtimes.com/link/32955
 
EMAIL THIS ARTICLE
SEND FEEDBACK
MORE TOP STORIES


technorati icon
Share on ma.gnolia
Share on FriendFeed
 
 
 
 
 
 
 
 
 
 
SUBSCRIBE TODAY!
 E-Newsletters:
  News on Mon/Thurs.  More info
  Test & QA Report  More info
  EclipseNews  
  SharePoint Tech Report  More info

    SUBMIT
 
JOB BOARD
 
 
PDF & PRINT EDITION
* Requires Resource Account!  LOGIN or SIGN UP
Download Current Issue!
ISSUE 12/1/2008 PDF

Need Back Issues?
DOWNLOAD HERE

Receive The Print Edition?
SUBSCRIBE HERE
 

EVENTS CALENDAR

VSLive Dallas
12/8/2008 to 12/11/2008
Dallas
1105 Media

XML 2008
12/8/2008 to 12/10/2008
Arlington, Va.
IDEAlliance

Macworld Conf. and Expo
1/5/2009 to 1/9/2009
San Francisco
IDG World Expo

SharePoint TechCon
1/27/2009 to 1/29/2009
Burlingame, Calif.
BZ Media

Cloud Computing Conf.
2/11/2009
Toronto
Plum Communications

REGISTER
MORE EVENTS
 
GET NOTIFIED!
About all of the latest Resources
 
 
SD TIMES 100
6th Annual SD Times 100
It's time once again to
recognize the organizations
or individuals that have
demonstrated leadership in
their markets.