Code Security: SAFECode report highlights best practices

A new report from the Software Assurance Forum for Excellence in Code (SAFECode) sheds new light on how vendors are trying to work more secure coding into the product development process.

The vendors contributing to the report are SAFECode members who have enjoyed some success in reducing the frequency of attacks against its technology, including EMC Corp., Juniper Networks, SAP and Microsoft. But the organization also includes companies that continue to have an uphill climb, most notably Adobe Systems.

Also see “Code security: A survival guide”

Despite its efforts to write more ironclad software, Adobe has taken heavy criticism for the number of vulnerabilities attackers have been able to exploit. In a recent interview with CSO, Adobe security chief Brad Arkin admitted the company has a lot of work to do, but that part of the problem is the wide attack surface that comes with a technology almost everyone uses.

In an interview with CSO last week, SAFECode Executive Director Paul Kurtz acknowledged that 100 percent secure code may be impossible to achieve, and that companies will always deal with some level of vulnerability. But, he said, the new report at least offers a roadmap of examples other companies can use to make their own development procedures better than they are now.

“Software assurance is most commonly discussed in terms of security engineering, or in other words, building security into the software as it is being developed,” he said. “But another important aspect of assurance is securing the supply chain processes for software sourcing, development and distribution to protect the integrity of delivered software.”

SAFECode’s latest paper deals specifically with this area and represents the first industry-led effort to identify and analyze the software integrity controls used by software vendors to protect software from the insertion of vulnerabilities as it moves along the global supply chain, he added.

Among the actions worth pursuing to improve security in the supply chain, SAFECode members recommend:

• Vendor contracts that include stronger language on the responsibilities and expectations of vendors and suppliers. “The written agreement must explicitly state the expectations as well as the consequences of any non-compliance with the terms of the agreement,” the report said.
• Vendor technical integrity controls for suppliers that address everything from secure transfer of code, sharing of system and network resources, malware scanning and secure storage.
• More rigorous security testing with static code analysis tools, network and web application vulnerability scanners, binary code analysis tools, malware detection tools that can discover such problems as backdoor holes; and security compliance validation tools.

The report reflects a growing trend in the infosec community that relies less on bolt-on defenses and more on well-written software code. The code security trend is reflected in

• the Rugged software movement;
• BSIMM, the Building Security In Maturity Model;
• Microsoft’s Security Development Lifecycle (SDL);
• the growth of OWASP, the Open Web Application Security Project;
• and the emergence of new secure application development certifications such as the CSSLP from ISC2.