Fresh advice on building safer software
SAFECode updates best practices for secure development
- By William Jackson
- Feb 08, 2011
An industry group promoting reliability in commercial software has updated a set of guidelines for secure software development, with a focus on validating the results of recommended practices.
The second edition of “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today,” written by the Software Assurance Forum for Excellence in Code, is based on real-world tools and reflects advances in secure software development since the original report was published in 2008.
“The process of building secure software has continued to evolve and improve,” said SAFECode Executive Director Paul Kurtz. “The second edition of the paper aims to disseminate the new knowledge SAFECode has gathered and provide new tools and improved guidance for those implementing the paper’s recommended practices.”
SAFECode framework addresses software supply chain integrity
The new edition contains additional information on each best practice, using Common Weakness Enumeration (CWE) references to identify specific software weaknesses addressed by each practice and offer verification guidance.
“It wasn’t always obvious how to tell if you are doing it right,” SAFECode board member Brad Arkin said of the original guidelines. The new notes on verification allow users to ensure that recommended practices have been followed during development of software.
CWE is an identification scheme created by Mitre Corp. to provide a common way of identifying and talking about software weaknesses. “By mapping our recommended practices to CWE, we wish to provide a more detailed illustration of the security issues these practices aim to resolve and a more precise starting point for interested parties to learn more,” the document states.
Two sections from the original publication on training and supply chain security, which have since been addressed in separate reports, have been eliminated in the second edition.
The guidelines are not meant to be a comprehensive blueprint for secure software development but to provide a foundation of practices, already in use by member companies, that have been shown to be effective.
Basic secure coding practices identified in the report include:
- Minimizing the use of unsafe string and buffer functions.
- Validating input and output to mitigate common vulnerabilities.
- Using robust integer operations for dynamic memory allocation and array offsets.
- Using anti-cross scripting libraries.
- Using canonical data formats.
- Avoiding string concatenation for dynamic SQL statements.
- Eliminating weak cryptography.
- Using logging and tracing.
Arkin, who also is senior director of product security and privacy for Adobe, said the quality of commercial software is becoming more of an issue for developers and vendors.
“People who are developing software are paying a lot of attention to this,” he said, adding that he now has difficulty recruiting developers because of the increased competition for people who have the necessary skills. “I feel like the investment in security has been increasing. As an industry there is awareness that security really is a priority.”
But despite progress, security remains a challenge, he said.
“I think we’re gaining,” he said. “But the bad guys aren’t standing still. Unfortunately, the other side of the coin is that offensive techniques are advancing as well.”
William Jackson is freelance writer and the author of the CyberEye blog.