The Software Assurance Forum for Excellence in Code (SAFECode) has released a paper which analyzes the individual software assurance efforts of SAFECode members.
The paper is entitled, "Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today." It analyzes each identified security practice across the software development cycle and offers implementation advice based on the experience of SAFECode members.
The paper studies secure development practices that can be applied across diverse development environments to improve software security.
"Software vendors have both a responsibility and a business incentive to ensure product assurance and security," said Michael Howard (News - Alert), principal security program manager for Microsoft's Trustworthy Computing Group and a primary contributor to the paper.
By sharing the practices of its members with the larger software community, SAFECode hopes to encourage the adoption of best practices that can be implemented effectively across different product requirements and development methodologies.
SAFECode is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode members include EMC Corporation, Juniper Networks, Microsoft Corporation, Nokia, SAP AG and Symantec (News - Alert) Corporation.
"SAFECode has brought together some of the most experienced software assurance professionals in the industry to move us beyond theoretical best practices to identify the secure development methods that have proven to be both effective and implementable even when different product requirements and development methodologies are considered," said Paul Kurtz, executive director of SAFECode.
Kurtz added that by documenting and releasing these secure development practices, SAFECode hoped to get other companies to improve their software assurance programs, thus leading to an adoption of the secure development methods outlined in the paper across the industry.
As part of the effort to encourage other companies to develop these best practices, the paper describes each identified security practice across the software development lifecycle -- Requirements, Design, Programming, Testing, Code Handling and Documentation -- and offers implementation advice based on the experiences of SAFECode members.
The paper discusses how there are corresponding security practices that can improve software security and integrity for each stage of the software development lifecycle. The paper concludes that software assurance must be addressed throughout the software development lifecycle in order to be effective and not treated as a one-time event.
Sources said that the secure development practices mentioned in the paper were meant to be as diverse as possible and spanned Web-based, shrink-wrapped and database applications, as well as operating systems and embedded systems.
SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.
Nitya Prashant is a contributing editor for TMCnet. To read more of Nitya's articles, please visit her columnist page.
Edited by Michelle Robart
