Home > Security Topics > Developing with Security

Developing with Security: Blog

Get updated when new blog entries are added.

Subscribe to the Developing with Security: Blog RSS feed.

Feb 01, 2008

RSA Conference Europe Podcast: Hugh Thompson!

Hugh Thompson is Chief Security Strategist, People Security, a talented security expert, author, and speaker. His session was The Buzz About Fuzz: A Powerful Way to Find Software Vulnerabilities.

listen / download now (10:45)

Post a comment

Oct 29, 2007

SAFECode

Tim M. Mather, Chief Security Strategist, RSA Conference

This week at RSA Conference Europe a new software assurance effort was launched. For IT companies and customers, software assurance has lately risen considerably in visibility. The U.S. Department of Defense’s (DoD) Defense Science Board Task Force on Software Assurance has been meeting for months regarding such. Additionally, the Information Assurance Technology Analysis Center completed a report this summer on software security assurance (“Software Security Assurance: A State of the Art Report,” released on July 31st, 2007) for DoD. And, the House of Lords in the United Kingdom released a high profile report entitled “Personal Internet Security” on August 10th, 2007. In that House of Lords report, it stated about software assurance that,

8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Liability for software! Now that’s a notion that very quickly gets software companies’ attention. These reports are a reflection of growing industry and government concerns about the state of software assurance. Further subjective evidence about these worries is found in the nascent but growing software assurance testing segment of the industry (for example, companies such as Coverity, Fortify Software, and Veracode – amongst others).

Where there is consensus is that software assurance is a major issue, growing in importance as software increasingly controls important functions in our daily lives – and as that software grows increasingly complex. However, as of now, there is no consensus on how to effectively meet these challenges. The Department of Defense, for example, is reportedly considering restrictions on where software is produced – as determined by whether the company is American or foreign-owned. According to industry, however, software is a global effort, and restrictions on where software is produced would lead to significant problems, as well as some rather absurd situations. For example, it would apparently be acceptable for an American company to develop software for the DoD in India, but it would be unacceptable for a French company to develop software for DoD in the United States.

In response to the growing awareness of this problem, five major companies in the IT sector announced a new initiative this week, named SAFECode, at RSA Conference Europe in London. The Software Assurance Forum for Excellence in Code (SAFECode) has EMC, Juniper Networks, Microsoft, SAP, and Symantec as its founding members. SAFECode has named Paul Kurtz, an information security veteran, to the position of executive director.

At Wednesday’s press conference, there was some legitimate skepticism about the need for this particular group, who its members are (or more accurately, are currently not), what its activities would be and how effective they will be.

There are already several established efforts to bolster software assurance, such as the Build Security In initiative from the U.S. Department of Homeland Security; the non-profit Open Web Application Security Project (OWASP); and the SANS Institute’s Security Software Institute. Additionally, existing trade and lobbying groups (e.g., the ITAA – Information Technology Association of America; and the CSIA – Cyber Security Industry Alliance) already promote software assurance. So what is it SAFECode will do that these other efforts are not already doing? Do we really need yet another industry organization? And, why are some industry heavyweights conspicuously absent (most notably, Cisco, IBM, and Oracle)?

According to Paul Kurtz, SAFECode is not a lobbying organization, and is not a standards body. SAFECode is a group of significant industry members looking to promote “best practices” (a phrase that always scares me – whose “best practices”?) amongst themselves, while encouraging other industry companies to become members, and then working with academia to promote better education of developers, as well as working with customers (government and private sector) to better understand their needs and concerns. In Wednesday’s press conference, Paul acknowledged the concerns about the organization as it initially exists, but stated that this opening announcement should not be construed as finished effort. Quite the opposite, Paul emphasized that the announcement of SAFECode’s formation is only the initial step in what he and its founding members plan to grow into a much more significant effort.

I certainly see no harm in the formation of SAFECode, and expect that at an absolute minimum it will further raise awareness about this important issue. The challenge that SAFECode now faces is its own assurance that it is not merely a public relations event, but will substantively contribute to effectively assuring software development.

Home > Security Topics > Developing with Security

Developing with Security: Blog

Explore Developing with Security: