HOME ALL STORIES LATEST NEWS COLUMNS OPINIONS EDITORIALS GUEST VIEWS SHORT TAKES DATA WATCH SPECIAL REPORTS ZEICHICK'S TAKE SD TIMES 100 EDITORS' BLOG

RSS FEEDS

FACEBOOK

TWITTER

WHITE PAPERS SPONSORED PROFILES JOB BOARD WEBINAR CENTER FREE SOFTWARE BZ RESEARCH ALMSHAREPOINT EVENTS CALENDAR PRINT/PDF EDITION PRINT/PDF BACK ISSUES

SUBSCRIBE TODAY CUSTOMER SERVICE EDITORIAL CALENDAR EDITORIAL BEATS GUEST VIEW GUIDE SD TIMES 100 GUIDE EVENTS CALENDAR ADVERTISING ARTICLE REPRINTS REPORT A BUG SITE MAP

ABOUT US BZ MEDIA NEWS BZ RESEARCH SYSMANNEWS SPTECHCON ESDC IPHONEDEVCON PRIVACY POLICY CONTACT US

Printable version

HOME >> LATEST NEWS

Most Read Latest News Blog Resources

Mono brings .NET to Android
At Microsoft MIX, Mono will unveil the ability to port .NET applications to the Android op...

Does Windows cost Microsoft opportunities?
Microsoft's decision to focus .NET on Windows is stifling innovation due to the specter of...

Maven Studio for Eclipse gets developers up to speed
Sonatype tool simplifies onboarding by giving developers a way to easily deploy fully conf...

nVidia updates CUDA tools
Latest version helps developers turn desktops and servers with high-end GPUs into more pow...

Scrum Planning Board adds automation to Axosoft OnTime
Illustrations are also included to assist Scrum-using developers a better view of what the...

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.

Overcoming Development Challenges with Open Source Open source software can help you with your application development challenges. It doesn’t...

Accelerate Services and the Cloud Business units, functional groups, and different divisions of companies across industries...

Enterprise Mashup Platforms for Today’s Increasingly Complex and Real-Time Context Enterprise Mashups offer your company a new way to connect data from inside and outside yo...

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

SAFECode guide advises developers on secure practices

By Jeff Feinman

October 8, 2008 —

The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit industry-led organization, is preaching what it practices with a new security best-practices guide.

SAFECode’s “Fundamental Practices for Secure Software Development,” released today, is based on security measures taken by its member companies, which include EMC, Juniper, Microsoft, SAP and Symantec. It outlines secure development practices that can be applied across divergent development environments.

“[The guide] moves us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered,” said Paul Kurtz, executive director of SAFECode.

“Fundamental Practices for Secure Software Development” offers security practices for each phase of the development life cycle, defined by SAFECode as requirements, design, programming, testing, code handling and documentation. SAFECode said that during requirements definition, product managers should account for time to engage in secure development practices, and the development and QA staff should be trained in secure development prior to product release. The key to a secure software design process is threat analysis, which can find potential issues that might not be found with techniques like code reviews or static analysis.

“Threat analysis helps find issues before code is committed so they can be mitigated as early as possible in the software development life cycle,” SAFECode’s guide states. “For example, rather than wait for an analysis tool to potentially find injection vulnerabilities, it’s better for a development team to realize that their product may be vulnerable to these issues and put in place defenses and coding standards to reduce the risk from the start.”

To ensure security in the programming phase, SAFECode members said they minimize unsafe function use, work with static and dynamic analysis tools, do manual code review, and validate input and output.

Testing methods used by SAFECode members include fuzz testing, penetration testing and automated testing tools. Fuzz testing relies on building intentionally malformed data and seeing how the software responds when given that data. The code integrity phase should consist of least privilege access, separation of duties and chain of custody. Finally, the guide states that before deploying software, administrators should know the “security posture” of the software, including which ports to allow through a firewall or operating system changes.

“By collecting and analyzing the secure development methods currently in practice across SAFECode members, we are able to offer others in the industry advice for improving software security,” said Michael Howard, principal security program manager with Microsoft’s Trustworthy Computing Group.

Related Search Term(s): security, SAFECode

Share this link: http://www.sdtimes.com/link/32955

Letters to the Editor: Sun gives REST, SOAP choice A reader takes issue with a headline on our story about Sun working with REST along with SOAP, while others weigh in on rewriting Java code in C and solving impedance mismatches.

RSA keynote: Lack of security in the cloud breeds distrust Experts say that until cloud security standards mature and are adopted more widely, adoption will be tepid

Fortify, HP give hybrid view of app security By correlating results of dynamic testing and static code analysis, Hybrid 2.0 offers improved vulnerability resolution

Add comment

Name*
Email*
Country

Comment
Preview

News on Monday
more>>
SharePoint Tech Report
more>>

Download Current Issue
ISSUE 3/15/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?

Google Code turns 5
Google Code Turns 5, and adds a Paxos Algorithm to make the system more stable and reliable.
03/17/2010 11:16 AM EST

Test your Visual Studio 2010 know-how
Microsoft is offering free beta certification exams for Visual Studio 2010.
03/17/2010 11:08 AM EST

Microsoft lifts the hood on IE9
Microsoft is previewing IE9.
03/16/2010 01:10 PM EST