The Software Assurance Forum for Excellence in Code (SAFECode) has announced the release of the Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program (Third Edition). The publication is a set of best practices designed to help organizations improve their software assurance programs and encourage adoption of secure development practices.
Some of the topics included in this edition are requirement identification, management of third-party components, security issue management, and vulnerability response and disclosure. It also goes over what organizations need to consider when planning and implementing a successful Secure Development Lifecycle (SDL) program.
Significant revisions in this edition include specific guidance on secure development techniques, guidance on critical security features, the relationship of the security response process to secure development and considerations for planning and implementation of a successful Secure Development Lifecycle (SDL) program.
According to SAFECode, companies should establish a workflow that can help them identify their security requirements. Those security requirements need to be tracked throughout implementation and verification as well, the guide notes. It recommends managing controls as structured data in an Application Development Lifecycle Management system instead of in an unstructured document.
In terms of third-party components, organizations should choose established frameworks and libraries that provide sufficient security for their use cases and are capable of defending against known threats, according to the guide. It cautions organizations not to waste resources and introduce new risks by re-implementing security features native to the framework.
The guide states that discovered vulnerabilities need to be tracked and action should be taken to remediate, mitigate, and accept the risk. “Performing the secure development practices outlined in this document will aid in identifying these weaknesses. However, simply performing these activities is not sufficient. Action should be taken to correct the identified weaknesses to improve the overall security posture of the product,” the guide says.
Organizations also need a strategy to disclose vulnerabilities, particularly those that are publicly disclosed or being actively exploited. Customers should be provided with timely information, guidance, and mitigations or updates to address those vulnerabilities.
The guide also urges organizations to consider the following when planning implementation of an SDL: the culture of the organization; expertise and skill level of the organization; product development model and lifecycle; scope of the initial deployment; stakeholder management and communication; efficiency measurement; SDL process health; and value proposition for the secure development practices.
“As the threat landscape and attack methods continue to evolve, so too have the processes, techniques and tools to develop secure software. Fundamental Practices for Secure Software Development is an essential guide to help address these threats. It is considered by many in the industry as a go-to resource for secure software development best practices,” said Steve Lipner, executive director for SAFECode. “Much has changed and been learned over the last few years and the third edition includes many new updates and additional content.”
While can be a challenging task to sit down and create a set of best practices for the entire industry, SAFECode says the guide was created from the experiences of organizations that build software that reaches millions of users, but the principles offered in the guide will be applicable to organizations of varying sizes.
The best practices offered in SAFECode’s guide are currently being practices by companies such as Dell EMC, Microsoft, Intel, Adobe, Symantec, Siemens AG, and CA Technologies.