SAFECode: How to ensure you’re buying safe software

Paper suggests what to ask software vendors about their security practices

It’s hard to figure out how secure software is but the Software Assurance Forum for Excellence in Code (SAFECode) has issued guidelines to make it easier, especially for businesses trying to decide which products to buy.

The industry group published a white paper, “Principles for Software Assurance Assessment”, that recommends questions corporate software buyers should ask their suppliers beforehand so they wind up with products less likely to be riddled with security flaws.

One of the big problems these buyers may face is that they don’t know the relevant questions to ask, says Eric Baize, SAFECode chairman and Senior Director, Product Security and Trusted Engineering for EMC.

To come up with those questions, SAFECode polled its members – which include Adobe Systems, CA Technologies, EMC, Intel, Microsoft, SAP, Siemens and Symantec – for the types of documentation they offer customers. It also asked prominent businesses that buy software what they find useful to ask and information they find useful to receive from the vendors, the paper says.

The concerns raised by customers and suppliers reveal that they often aren’t on the same page even though they both want the same thing – assurance that software is secure and reliable.

For example, customers say they need to understand whether a software vendor has a secure development process and whether it was applied to the product they are considering buying.

At the same time, software vendors say there is no agreement on what specifically customers should ask for, and that some of what they do ask for doesn’t’ actually line up with real-world secure development practices, the paper says.

On the side of customers, SAFECode recommends first figuring out what kind of vendor they are dealing with. Some don’t have well established software assurance programs or won’t say what their assurance process is. Others have well-developed programs that are based on standards. Still others have sound processes but that aren’t based on international standards.

For the first group, SAFECode recommends using assessment tools such as binary-code analysis. For the second, document that they meet the standards they say they do.

For the third group, the paper recommends getting the answers to how vendors test and improve the security of their products and how they measure those factors. They should ask whether developers are required to train in software security practices and whether the security of their work is reviewed and approved by managers.

Vendors should demonstrate they employ a formal process for fixing vulnerabilities they find and that they collaborate with customers to fix flaws found after sale of products.

One problem is that the relevant standards are still developing and may not be approved for years yet, Baize says.

The main standard, ISO 27034, is available for vendors to comply with, but so far there is no third-party review process to verify that they actually meet the standard, says Howard Schmidt, executive director of SAFECode and former cybersecurity advisor to the White House under President Obama.

“Today it’s a Wild West,” he says. “There’s a huge burden on suppliers. Buyers aren’t always looking at the right thing.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftintel

More about Adobe SystemsAssuranceCA TechnologiesEMCIntelISOMicrosoftSiemensSymantecWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place