SAFECode: Writing Secure Code – learning from each other

During RSA Europe an industry forum called SAFECode (Software Assurance Forum for Excellence in Code) was announced "to identify and share software assurance best practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks". I was really excited that I had to opportunity to represent Microsoft during the press conference at RSA as this is – from my point of view – a significant move for the industry. SAFECode was founded by some heavyweights in the software development industry: EMC², Juniper, Symantec, SAP, and Microsoft.

Over the last few years we invested significantly into our Security Development Lifecycle (SDL). We make the experience we made available in different forms:

• We wrote books like Security Development Lifecycle, Writing Secure Code, Hunting Security Bugs, Threat Modeling, …
• We integrate tools and technology we initially developed for our own use into Visual Studio
• We make tools like the Threat Modeling Tool available for anybody as a free download
• We use SDL for Microsoft IT to have a special version to be adapted to third-party applications. Even the tools we use internally like the Microsoft Threat Analysis & Modeling is available for free download.
• We run a blog on it: The Security Development Lifecycle

But this is different. Key people from Microsoft and other companies are coming together to share the best practices and learn from what worked and what did not. From our side, there are people involved like Steve Lipner (one of the "fathers" of SDL) and Michael Howard (Writing Secure Code). The outcome should be better processes as well as a way on how to integrate this kind of process into education and training. This is really great and I am excited to see this moving forward.

The press coverage was already pretty significant and positive:

• darkReading: Major Vendors Form SAFECode
• SearchSecurity.com: Tech vendors team up for secure software development
• Vnunet.com: Tech industry launches initiative to boost software security
• eWeek.com: Tech Foes Join Forces for Secure Code
• Computerworld UK: RSA 2007: Software firms to share security best practice
• Federal News Radio: An interview with Paul Kurtz, Executive Director of SAFECode

SAFECode is neither a standards body nor a lobbying association. Instead it has been formed as a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods.

As a collaborative effort of leading technology companies committed to software assurance excellence, SAFECode provides a forum for subject matter experts to come together to work on some of the most challenging issues faced by the industry. There is no single solution or "right way" to address software assurance. Indeed, there are many different ways to succeed. SAFECode provides an opportunity to bring the best methods together in a manner that helps vendors, governments and critical infrastructures better manage risk.

Every technology vendor has a stake in the global effort to improve the security and reliability of the greater cyber ecosystem. If you are a vendor committed to driving security, privacy and integrity in software, hardware and services, then you belong in SAFECode. We are looking for hands-on members who want to benefit from the experiences of others and actively contribute to advancing the art of software assurance.

Roger