A set of actionable recommendations released by the Software Assurance Forum for Excellence in Code (SAFECode) provides a framework for organizations to extend risk management strategies to include the security of purchased software.
We've been working on ability to have a set of understandings” that organizations need to make code secure,” Prof. Howard A. Schmidt, executive director of SAFECode, told SCMagazine.com, who stressed that the recommendations, released by the forum Tuesday, are “not a silver bullet” but rather represents “a lot of parts coming together that everyone can use,” from small companies to large, to gauge the quality and security of software. “Now we have something that work with big suppliers and smaller suppliers.”
To date, there's not been a way for organizations, whether software vendors or their customers, to assess software security. SafeCode Chairman Eric Baize, senior director of product security and trusted engineering at EMC Corporation, told SCMagazine.com that the recommendations in the group's “Principles for Software Assurance Assessment” are timely because no standards are lacking and vendors follow different software assurance processes.
Not all suppliers have adopted a secure software development process, Baise said, noting that larger SAFECode members like Microsoft have more mature processes in place while many smaller companies don't. “What we realized a while ago is that we also need to find a way for customers to understand how much has been put in process by vendor.”
The SAFECode framework, created by software suppliers and their customers, provides guidance for IT buyers recommending users take “a tool-driven approach, such as binary code analysis tools,” according to a release.
For more mature suppliers with software assurance processes in place, but not international standard to follow, SAFECode offers recommendations in three categories—secure software and integration practices, product security governance and the vulnerability response process.
To determine secure development and integration practices, the non-profit forum recommends assessing techniques such as threat modeling, sandboxing and static code analysis that vendors use. To assess governance the recommendations include determining whether a vendor requires security training, reviews and signs off of security measures and offers a documented vulnerability remediation process.
When it comes to vulnerability response, vendors should be open with customers who identify flaws and collaborate with them. The group also said to look for “a transparent and expedient mechanism” for discovering and reporting vulnerabilities and submitting CVEs.
Throughout the years, when discovering and dealing with vulnerabilities, “we winded up seeing same thing over and over again,” said Schmidt. “This is going to collapse that.”
And, the recommendations will create a framework that will make dealing with new vulnerabilities easier and quicker.
“If something does happen then you have the best companies in world” working on it, said Schmidt. “It gives you the ability to [work] with your peers and rectify things bigger and faster than one company doing it.”