​

A MOVEMENT TO strengthen software development quality-control standards has been growing. To help with the development of such standards, the nonprofit Software Assurance Forum for Excellence in Code (SAFECode) recently released its first best practices paper. It describes methods used by the group’s members during each stage of software development.

The best practices described in the report have proven effective for participants, says Paul Kurtz, SAFECode executive director, who adds that he hopes other developers will follow suit. “If you’re not paying attention to source code, it’s an obvious attack vector,” he says.

Some recent studies show the problem’s scope. Late last year application-testing specialist Cenzic found that as many as seven in 10 Web-based applications possessed vulnerabilities. Many of the latter stem from architectural and design flaws, according to the Santa Clara, California-based firm.

The best practices paper divides development risks into three main categories: accidental design errors; the continued increase in hacking and exploitation tools; and malicious insiders aiming to harm vendors or users.

In looking at solutions, SAFECode takes a holistic approach, says Kurtz, examining “the whole ecosphere,” including not just the applications, but the operating databases, training, and security related software.

One best practice category is the training of engineers, which Kurtz calls “one of the most germane [sections] for the audience.” Some vendors use outside trainers while others rely on in-house staff. Others use online training programs. Subjects studied range from effective threat modeling to avoiding cross-site-scripting vulnerabilities to handling unsafe phone calls from inside and outside of the company.

Another section focuses on secure source-code handling, or protecting its integrity and confidentiality. This requires strong change-management practices and strict authorization policies to ensure that code can only be accessed and changed by qualified staff.

The paper also discusses development-related testing. It can involve vulnerability analysis, penetration testing, and the use of techniques such as “fuzzing,” or varying external inputs to identify weaknesses such as buffer overflows. Many of the participants rely on independent testers.

Testing companies have been generating better tools in recent years, says Kurtz. “The market’s responding and working,” he says, citing companies that specialize in code testing such as Burlington, Massachusetts-based Veracode and San Mateo, California-based Fortify.

SAFECode was founded by a handful of firms including Microsoft Corp., EMC Corp., Symantec Corp., SAP Corp., and Juniper Networks.