Saturday, February 16, 2008

Current Industry Best Practices for Software Assurance: SAFECode


From Leigh Honeywell Presentation on Writing Secure Software
Source http://www.globalnerdy.com/tag/leigh-honeywell/

The Software Assurance Forum For Excellence in Code (SAFECode) has recently published a white paper on the software industry best practices for software assurance. The forum is lead by Paul Kurtz. Before SAFECode Mr Kurtz successfully led the Cyber Security Industry Alliance (CSIA) to raise the awareness on information security assurance by coordinating the effort with network security vendors such as ISS, Symantec, RSA and others. Now Mr. Kurtz leads the software security assurance forum of software security vendors such as EMC, Juniper, Microsoft, SAP and Symantec. Michael Howard of Microsoft is also chair of the Development Processes working group within SAFEcode. Quoting Michael on his blog:" SAFECode is a great example of "industry helping industry," because it is led by people who have "been there, done that" and have the battle scars to prove it".
The whitepaper on software security provides guidance to software vendors on software security disciplines that should be followed to build, deploy and support security into software products.
I summarized herein the disciplines, with emphasis on the best practices:
  1. Train application developers on software security issues
  2. Define the security requirements including for secure design, coding and tests of a product early during the Software Development Lifecycle (SLDC)
  3. Enforce security by design by identifying design flaws and addressing potential threats to the application with countermeasures so that risks can be mitigated before coding
  4. Follow secure coding best practices and secure coding standards during product development
  5. Protect the integrity and the confidentiality of source code being developed from un-authorized changes and disclosure of intellectual property
  6. Security test products/applications to verify that the meet security requirements as early as during design as well as during implementation
  7. Document the software and vulnerability managament processes such as how software vulnerabilities found by others can be disclosed and how the application/product need to be configured and deploy the product securely
  8. Validate and document security risks such as with a security control gap analysis prior product release
  9. Document how to handle any potential vulnerabilities security incident response processes, notify incidents to the appropriate team and mitigate the vulnerabilities
  10. Enforce trustworthy use of software. Offer customers a way to verify that the product being acquired indeed comes from a trusted vendor
  11. Research on new software threats and countermeasures
  12. Evangelize software security by promoting use of software assurance best practices and by discussing these in open forum as well as publishing of articles, papers and books.
On the resource page of SAFECode site you can also download the current "state-of-the-art" in software security assurance that collects recommendations and best practices for building software security into the SDLC and in particular a more in-depth variety of techniques and technologies in use in government, industry, and academia for specifying, acquiring, producing, assessing, and deploying secure software.
In some sections of this document there are references of my previous work on Software Security Frameworks that I did on behalf of Foundstone as well as references to this blog. Even if I am not working for a software vendor anymore (last time was between 1998-2001 developing software for ISS) I am practicing most of these software security best practices in my day to day working activities and I also advocate for software security initiatives within the bank(Citigroup) where I currently work for as Technology Information Security Officer . On point 12 in particular, I am committed to evangelize software security on this blog and through OWASP, publications and participation to conferences etc.

No comments: