When I started EMC’s product security initiative more than eight years ago, useful information on the topic was scarce and my technical bookshelf was limited to “Writing Secure Code” by Microsoft’s Michael Howard and David LeBlanc, some work form Cigital’s Gary McGraw and an interview of Oracle’s MaryAnn Davidson.
A lot of work has been published since and anyone with the mission to start a software security initiative in a technology company today is overwhelmed with the amount of resources available. However, little information has been published on what works and on the most effective secure software development practices used by the more mature organizations.
Since 2007, under the SAFECode umbrella, EMC and other technology leaders have collaborated to accelerate the adoption of secure software development practices in the industry by publishing reports on practices that have proven to work for SAFECode members. Earlier this week, SAFECode released a very useful and actionable guide for improving software security entitled “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today.” It details secure software development practices that have shown to be effective among SAFECode members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp.
The 50+ page report is a critical milestone in SAFECode’s mission of encouraging the industry-wide adoption of what SAFECode believes to be the most fundamental secure development methods. It outlines the individual software security efforts of SAFECode members, but, rather than creating an endless inventory, it provides a consensus view of the SAFECode members of effective practices in critical areas of secure software development:
- Secure design principles
- Secure coding practices
- Testing recommendation
- Technology recommendation
My bookshelf is now much more crowded than it was in 2003, but I will make sure that this report will hold a premium spot on it. I recommend it to anybody involved in developing software or in rolling-out a software security program. Let me know if you find a good spot on your bookshelf for this report.