Need to build secure software? Free help is online.
- By William Jackson
- May 14, 2013
Agencies whose training budgets have been stretched by funding cuts now have access to a free online course on the basics of secure software development.
The training modules, which will be available as on-demand webcasts, are the first educational materials released by SAFECode, an industry group created to improve security and reliability in software development. The group already has published guidelines based on industry best practices, including guidance for secure software development with a focus on validating results.
The training modules fill a need to keep those actually involved in development up to date on best practices, said SAFECode policy director Stacy Simpson.
“We found that all companies with mature software development programs had in-house training programs,” Simpson said. But good training does not come cheap. “It’s impressive how much they had to invest in the programs.”
The core material in the SAFECode offering is based on course material donated by Adobe, a SAFECode member. Its availability was announced at the Security Development Conference, being held this week in San Francisco.
“We had a team of people do a technical review of the material to ensure it was applicable” for industrywide use, and the final modules were produced by SAFECode, Simpson said.
Since the 1990s, the federal government has been moving away from internally developed or government-specific software and toward the use of off-the-shelf software, so agencies benefit from improved security in commercial software. But government still is a major developer of software, said Howard Schmidt, SAFECode executive director and a former White House cybersecurity coordinator. Training dollars for developers are among the first things to be cut when budgets are tight, however, and staying current with best practices in software engineering can become a challenge.
“This gives them a consistent, harmonized training program at no cost,” Schmidt said.
SAFECode was formed in 2007, when the number of vulnerabilities being reported annually in commercial software was at its peak. Although thousands of vulnerabilities still are being discovered each year, the number has dropped and 2013 is on track to be the slowest year for new vulnerabilities since 2004, according to the Web site CVE Details, which tracks listings in the Common Vulnerabilities and Exposures database maintained by Mitre Corp.
Despite this trend, “we still have a long way to go,” Schmidt said, and training is needed to maintain a baseline for secure development.