SAFECode Blog

Archive for the ‘Development Practices’ Category

Security, Integrity and Authenticity: The Tripod of Software Assurance

Friday, July 24th, 2009

As a follow-up to the release of SAFECode’s paper, “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain,” I thought I would elaborate on a core concept of the report: the definition of software integrity and how it relates to software assurance.

Software assurance is most frequently discussed in the context of ensuring that code itself is more secure through the repeatable application of secure software development practices.  These practices, however, only represent one aspect of software assurance.

SAFECode defines software assurance as “confidence that software, hardware and services are free from intentional and unintentional vulnerabilities and that the software functions as intended.”  To achieve software assurance, suppliers take action in three key areas:

•    Security: Security threats are anticipated and addressed in the software’s design, development and testing.
•    Authenticity: The software is not counterfeit and customers are able to confirm that they have the real thing.
•    Integrity: The processes for sourcing, creating and delivering software contain controls to enhance confidence that the software functions as the supplier intended.
untitled1

SAFECode’s recent paper on software supply chain integrity provides a framework for analyzing and describing the efforts of vendors to ensure software integrity. I think of the difference between secure development practices and software integrity practices this way: Secure development practices address the security characteristics of the code itself, while software integrity practices address the security of the process used to source, build, test and deliver the code.

Software integrity practices complement secure development practices by minimizing the risk of malicious code being intentionally inserted in the global software supply chain.  They represent one leg of the software assurance tripod.  Software integrity, authenticity and security together form a sound basis for confidence that software is free from intentional and unintentional vulnerabilities and that the software functions as intended.

Next time: We’ll take a closer look how software integrity practices relate to the global software supply chain.

Posted in Development Practices, Software Integrity, Supply Chain | No Comments »

Guest Blogger: Marrying Scrum and Security

Tuesday, May 19th, 2009

Hello, this is Antti Vähä-Sipilä from Nokia.  I thought I’d use my first entry here as a guest blogger to talk about marrying software security and Scrum, an area which has recently kept me busy.

I’ve seen many people claim that agile methods and security are mutually exclusive, as ‘agile’ is interpreted as ‘laissez-faire’.  I don’t buy this as Scrum is actually quite strict.  There’s a better argument, though: As every Scrum sprint is different, mandating a specific security engineering activity in every sprint is counterproductive to agility.  This is probably true.

The key observation was therefore to distinguish between actual engineering activities, such as those listed in the SAFECode Fundamental Practices for Secure Software Development paper, and security risk management, which is all about meeting an acceptable level of business risk.  Scrum is a management model, and therefore, we really ought to be concerned about how risk management fits Scrum.

And after all, in Scrum, an enormous amount of trust is placed on the team. They should know best how to do the actual engineering, and to make sure they do, providing all sorts of software security training and support is necessary.

So, a scheme is required where the traditional security business risk management practices can be built into the management practices in Scrum. First, you need to identify the threats; second, you need to decide on the controls (which may be engineering practices as well, not just design decisions or features). What you’ll have left is residual risk - the part of the risks that haven’t been fully mitigated or terminated - and that has to be acceptable to the business owner.

As it happens, Scrum readily gives a lot of structure where these risk management practices can be implemented. The most complex one of these was the threat analysis part, which, when done properly, is a bit too large of an effort to squeeze into the sprint planning session.  At the moment, the best proposal I’ve seen is that sprint planning only identifies the largest risks - typically those having most impact in terms of engineering - and the detailed threat analysis would be done by the team as they see fit, most likely early in the sprint.

Deciding on the controls would be done by the end of the sprint, depending on how the team organises their work. The team has three options for each identified threat: either they add new sprint backlog items and address them during the current sprint, or they postpone the work by adding product backlog items, or they make a first-level risk acceptance decision by choosing to do nothing.

The third phase, approving the residual risk, fits the sprint review. The team makes the lowest level business decision by determining whether they feel they’re ‘done’ with the sprint backlog given all the threats they’ve found, and the controls they’ve implemented. If they agree, the residual risk can then be approved by the product owner, who is also the business owner. If a product is comprised of the outputs of several Scrum teams, residual risk acceptance for particularly hard decisions can still percolate higher up if necessary.

This model has some very nice properties: if the team feels that they cannot accept a risk but they still don’t have enough time to mitigate it during the current sprint, producing a product backlog item will automatically escalate this to the product owner, and require the product owner to prioritise it for later sprints. In addition, flagging a sprint backlog item ‘not done’ in the sprint review gives the Scrum team power to voice their concerns over open security risks.

For this to work, the Scrum team does need to be acutely aware of security engineering and software security issues, and especially the threat analysis part needs to be prudently done. Security specialists should be on call. Luckily, an ideal Scrum team is also an ideal mentoring environment for security, but that will probably be a topic of another post later.

Posted in Development Practices | 1 Comment »

RSA Wrap-up; Thanks for the Feedback

Monday, May 4th, 2009

Finally catching up after the RSA Conference.  It was a fantastic week for SAFECode, which we kicked off with a board of directors meeting.  The board discussed some exciting projects we’ve planned for the next few months on issues such as software integrity in the global supply chain, measurability and software assurance R&D, and I am looking forward to sharing more details on these as they progress.

Another highlight of the conference was our panel discussion around our paper on Fundamental Practices for Secure Development.  We had a expert group of speakers representing some of our member companies: Steve Lipner, Microsoft; Reeny Sondhi, EMC; Wesley Higaki, Symantec; Gunter Bitz, SAP; and Paul Kurtz, our executive director who moderated the discussion.  And while the panelists were great, it was really the audience feedback that made the experience so rewarding.


After the discussion, members of the audience thanked us for the paper and presentation and let us know that they had started implementing our recommendations in their own efforts. This feedback from actual practitioners meant a lot because it demonstrates that we are having the impact we hope to achieve with this work.   Our members are sharing the lessons they have learned from their own secure development efforts so that we can help others in the industry start or refine their own internal software assurance programs.  Hearing first hand that others are finding practical value from these efforts further strengthens our commitment to sharing our experiences and continuing to refine and update our development practices paper.

In fact, in an effort to keep the paper as relevant and useful as possible, we are currently accepting feedback on its recommendations via an online comment process.  If you have worked to implement some of our methods or have ideas of your own, we’d love to hear from you.

Posted in Development Practices | 1 Comment »

Seeking Comments on Development Practices Recommendations; Released New Paper on Training

Monday, April 20th, 2009

Today is an exciting day for SAFECode – two new announcements, a new blog to talk about them in, and a board of directors meeting.

We have brought our members together for a board meeting at the RSA Conference to hammer out some details on our current projects, plan our future efforts and meet with some members of our International Board of Advisers.  It should be a good day of brainstorming, idea-sharing and networking.

We are also issuing a call for public comments on our paper “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today.” Based on an analysis of the individual software assurance efforts of SAFECode members, this paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security.

We’ll be updating the paper in late 2009 and would like to give software security experts outside of our membership a chance to provide comments.  This will not only expand our frame of reference, but will also give those who have put some of the paper’s recommendations into action a chance to provide feedback.  Based on the feedback we have received, we really think this paper has the potential to help others in the industry with their own secure development efforts, as well as shed some light for customers on the practical steps leading software companies are taking to help ensure software security.  We believe opening up the paper to experts outside the membership will only make it stronger and we look forward to the seeing the feedback.

So we encourage you to submit your comments – we’ll be accepting them until July 31.  And, if you are at the RSA Conference and would like to learn more about this paper, we’ll be giving an overview in a panel discussion on Wednesday.

We also just released a paper outlining a framework for building a corporate training program on secure software development.  We have found that all of our members have internally developed training programs to support their software assurance programs, so we wanted to see what these programs had in common.  While it is clear that training programs are most effective when they are customized to corporate needs, we were able to uncover a number of fundamental principles that all of our members’ programs share and we hope that providing this insight is useful to anyone who might be thinking about starting their own training initiatives.

I will be at the RSA Conference all week, along with many of our SAFECode members.  Any of us would be happy to answer any questions on SAFECode, so let me know if you want to meet up.

Posted in Development Practices, Training | 2 Comments »

© 2007-2009 Software Assurance Forum for Excellence in Code (SAFECode) - All Rights Reserved