Secure Software Development Practices: Make Room on your Bookshelf

When I started EMC’s product security initiative more than eight years ago, useful information on the topic was scarce and my technical bookshelf was limited to “Writing Secure Code” by Microsoft’s Michael Howard and David LeBlanc, some work form Cigital’s Gary McGraw and an interview of Oracle’s MaryAnn Davidson.

A lot of work has been published since and anyone with the mission to start a software security initiative in a technology company today is overwhelmed with the amount of resources available. However, little information has been published on what works and on the most effective secure software development practices used by the more mature organizations.

Since 2007, under the SAFECode umbrella, EMC and other technology leaders have collaborated to accelerate the adoption of secure software development practices in the industry by publishing reports on practices that have proven to work for SAFECode members. Earlier this week, SAFECode released a very useful and actionable guide for improving software security entitled “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today.” It details secure software development practices that have shown to be effective among SAFECode members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp.

The 50+ page report is a critical milestone in SAFECode’s mission of encouraging the industry-wide adoption of what SAFECode believes to be the most fundamental secure development methods. It outlines the individual software security efforts of SAFECode members, but, rather than creating an endless inventory, it provides a consensus view of the SAFECode members of effective practices in critical areas of secure software development:

  • Secure design principles
  • Secure coding practices
  • Testing recommendation
  • Technology recommendation

My bookshelf is now much more crowded than it was in 2003, but I will make sure that this report will hold a premium spot on it. I recommend it to anybody involved in developing software or in rolling-out a software security program. Let me know if you find a good spot on your bookshelf for this report.

About the Author: Eric Baize

Throughout his career, Eric Baize has been passionate about building security and privacy into systems and technology from design to deployment. He currently leads Dell EMC’s Product Security Office and serves as Chairman of SAFECode, an industry-led non-profit organization dedicated to advancing software and supply chain security best practices. At Dell EMC, Eric leads the team that sets the standards and practices for all aspects of product security for the product portfolio: Vulnerability response, secure development, consistent security architecture, and code integrity. Eric joined Dell through its combination with EMC where he built EMC’s highly successful product security program from the ground up and was a founding member of the leadership team that drove EMC’s acquisition of RSA Security in 2006. He later led RSA’s strategy for cloud and virtualization. Prior to joining EMC in 2002, Eric held various positions for Groupe Bull in Europe and in the US. Eric has been a member of the SAFECode Board of Directors since the organization was founded in 2007 and also serves on the BSIMM Board of Advisors. He holds multiple U.S. patents, has authored international security standards, is a regular speaker at industry conferences and has been quoted in leading print and online news media. Eric holds a Masters of Engineering degree in Computer Science from Ecole Nationale Supérieure des Télécommunications de Bretagne, France and is a Certified Information Security Manager. Follow Eric Baize on Twitter: @ericbaize