Microsoft, Juniper, others in coding consortium issue guidelines for safer applications

An industry consortium dedicated to assuring the security of software has issued guidelines to lower the risk that vulnerabilities that could be exploited by attackers will wind up in finished code.

In particular, the Software Assurance Forum for Excellence in Code (SAFECode) is addressing how to prevent vulnerabilities that may worm their way in during the Agile software development process.

MORE: SAP designs facility for 'agile' cloud application development 

RELATED: 'Rugged Manifesto' promotes secure coding 

Agile is a framework for incremental software development by teams that work together in stages called sprints to develop the first iteration of code then revisit it regularly to refine the product based on new requirements and input from users.

SAFECode's new paper, "Practical Security Stories and Security Tasks for Agile Development Environments," presents Agile teams with a list of specific goals they may be trying to achieve at the outset and tasks necessary to achieve each one.

These tasks are refined at the end of each sprint in preparation for the next one, but they set Agile teams on a path that will lead to a safer end product, says Edward Bonvar, a principal senior software engineer at Symantec who participates in SAFECode. The organization is made up of some major vendors: Adobe, EMC, Juniper, Microsoft, Nokia, SAP, Siemens and Symantec.

The paper lays down 36 goals Agile teams may wish to pursue while working on software products and is meant to supplement an earlier best practices paper written by the group. These goals are gleaned from the experiences of coding teams within SAFECode's members as effective ways to approach Agile coding.

Called stories, these specific goals are written in plain language and from a particular perspective. For example, one story reads: "As a(n) architect/developer, I want to ensure AND as [quality assurance], I want to verify that cross-site scripting attacks are prevented."

The story is accompanied by a set of tasks to accomplish this goal, each one marked with the category of team members who should work on each task. One task associated with the story in the example above is directed toward developers and testers and reads: "[D/T] When generating dynamic web pages, filter the input for any browser-executable content that is not intended (for example, from user-originated fields in a database). Consider all forms of input of content that might eventually be presented to and consumed by a browser, like events generated outside the system, log messages, arguments in a URL, form field values, etc. Perform this filtering at server-side, close to use."

Depending on how much is accomplished toward that goal after the first sprint, it may remain as a task for the next one or be refined to address new issues that crop up. The task list is meant to guide Agile teams toward accomplishing goals that will lower risk of vulnerabilities, but not by setting down a rigid set of steps that may not be applicable to all projects.

"Incorporating security in Agile was a challenge," for SAFECode member companies, Bonvar says. "They decided to share their experiences, what they had success doing."

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place