Fundamental Practices for Secure Software Development
SAFECode, a non-profit organisation of some of the major software vendors, has published the second edition of their Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.
The updated and extended 2nd edition is a significant improvement on the previous version, but focuses only on secure design, secure coding and testing stages of development, as well as some separate recommendations concerning technologies. The previous information on training and secure code handling no longer form part of this paper, as they are addressed in other SAFECode publications. Thus the paper concentrates on what SAMM would consider to be constuction and verification functions, and not the governance or deployment functions. But the SAFECode document provides more prescriptive, detailed advice than SAMM. Perhaps only the three secure design principles (threat modelling, use of least privilege and implement sandboxing) are most similar in concept to SAMM's level of granularity; the remaining items would fit well within secure coding guidelines for developers.
Helpfully, the principles, practices and & have been cross-referenced with the Common Weakness Enumeration (CWE) list of software weaknesses, and links to verification resources such as references, tools and tutorials have been provided. It is also probably worth reading the SAFECode paper in conjunction with other guidance on application security programmes e.g. those mentioned previously here and here.
SAFECode has asked for comments and contributions.
Posted on: 15 February 2011 at 09:00 hrs
Comments are filtered automatically and should appear shortly after they been checked.