SAFECode guide advises developers on secure practices
Stories Columns Opinions Resources
Microsoft makes 'M' interoperable with OMG software
Although Microsoft did not adopt OMG's MetaObject Facility specification, the M modeling l...
|
TeamCity 4.0 breaks down build procedures for testing
JetBrains' latest continuous integration server and distributed build manager can evaluate...
|
IBM releases Jazz-based requirements definition tool set
Rational Requirements Composer brings requirements definition to the beginning of the life...
|
Web services debate: SOAP up or REST easy?
With Web 3.0 approaching, developers are weighing the costs and benefits of SOAP (and its ...
|
Industry Watch: Opening the door ... carefully
Security is not just for keeping the bad guys out, but for also letting the good guys in. ...
|
SOA Watch: New economic realities
In the current economic downturn, agile programming and SOA are attractive options that bu...
|
Integration Watch: A new twist on threads
The key to raising the efficiency of multiprocessors is to shrink the overall workload by ...
|
Integration Watch: The Return of NetRexx?
Java scripting languages are seeing a surge in popularity, with NetRexx looking particular...
|
Guest View: HATs off to content management
Document help writers face two choices: using HATs or CMSes. While CMSes are newer, they a...
|
From the Editors: Keep watching the clouds
Just because Amazon's EC2 is the first cloud platform to hit the market doesn't mean it is...
|
Zeichick's Take: PC Magazine and the changing media world
PC Magazine, one of the most venerable and respected computer magazines in the United Stat...
|
From the Editors: Election should shake up JCP
Rod Johnson has the right ideas for opening up the Java Community Process, and he may be a...
|
Advanced Corda CenterView™ Data Visualization for the BusinessObjects™ Intelligence Platform
Corda Technologies presents a white paper on pervasive BI. The BusinessObjects business in...
|
From Mobile to SOA: A Guide for Optimized Application Deployment
Customer need has driven the emergence of multiple computing tiers. Today’s application d...
|
e-Kit: Web Application Security
Is your network secure? What about your web applications.
If IT security is your top p...
|
Practical tips for saving money on code maintenance
If software design is expensive, well, code maintenance is even more so. When you look...
|
By Jeff Feinman
October 8, 2008 —
The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit industry-led organization, is preaching what it practices with a new security best-practices guide.
SAFECode’s “Fundamental Practices for Secure Software Development,” released today, is based on security measures taken by its member companies, which include EMC, Juniper, Microsoft, SAP and Symantec. It outlines secure development practices that can be applied across divergent development environments.
“[The guide] moves us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered,” said Paul Kurtz, executive director of SAFECode.
“Fundamental Practices for Secure Software Development” offers security practices for each phase of the development life cycle, defined by SAFECode as requirements, design, programming, testing, code handling and documentation. SAFECode said that during requirements definition, product managers should account for time to engage in secure development practices, and the development and QA staff should be trained in secure development prior to product release. The key to a secure software design process is threat analysis, which can find potential issues that might not be found with techniques like code reviews or static analysis.
“Threat analysis helps find issues before code is committed so they can be mitigated as early as possible in the software development life cycle,” SAFECode’s guide states. “For example, rather than wait for an analysis tool to potentially find injection vulnerabilities, it’s better for a development team to realize that their product may be vulnerable to these issues and put in place defenses and coding standards to reduce the risk from the start.”
To ensure security in the programming phase, SAFECode members said they minimize unsafe function use, work with static and dynamic analysis tools, do manual code review, and validate input and output.
Testing methods used by SAFECode members include fuzz testing, penetration testing and automated testing tools. Fuzz testing relies on building intentionally malformed data and seeing how the software responds when given that data. The code integrity phase should consist of least privilege access, separation of duties and chain of custody. Finally, the guide states that before deploying software, administrators should know the “security posture” of the software, including which ports to allow through a firewall or operating system changes.
“By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry advice for improving software security,” said Michael Howard, principal security program manager with Microsoft’s Trustworthy Computing Group.
Related Search Term(s): security, SAFECode
Share this link: http://www.sdtimes.com/link/32955