Large software companies have been among the most vocal proponents of improving software security during the development lifecycle, and two recent announcements have highlighted the issue for other developers. On May 14, Microsoft announced its support for and compliance with the international secure development standard ISO 27034, while industry association SAFECode highlighted the launch of its Web-based training program on secure coding practices. In conjunction, the focus on security from larger software firms provided a strong message to developers, experts noted, according to eWEEK.
“We believe that companies can’t continue to afford to conduct business online without prioritizing security,” Tim Rains, director of Trustworthy Computing at Microsoft, told eWEEK.. “Developers should download the materials, leverage all the tools they can get for free, and look at this ISO standard.”
Microsoft, which made its announcement at its own Security Development Conference, has been a proponent of secure development practices for years, beginning with the 2002 launch of its Trustworthy Computing Initiative, eWEEK noted. That initiative encouraged workers to place security ahead of features. The secure programming standard from ISO (International Organization for Standardization) gives companies an overview of the secure development process and provides guidelines for implementing a secure development lifecycle.
Such practices remain relatively uncommon, with only 37 percent of respondents in a Microsoft survey of IT pros last year saying their organizations built products with security in mind. One of the principal barriers to such practices was reportedly a lack of buy-in from management.
Moving toward safer code
Online coding security class offerings help reverse that trend by educating more developers and their employers on best practices for secure programming. By increasing access to such resources, security advocates are helping to foster a security-first mindset. SAFECode’s new curriculum joins resources such as free courses from Klocwork and others around the Web.
“Having some manager folks – who may not be developers but help manage the groups – understand that this is not something that you build on later, but a necessity that you build in from the outset, is important,” SAFECode executive director Howard Schmidt told eWEEK.
In its 2011 guide, “Fundamental Practices for Secure Software Development,” SAFECode outlined many of the key practices its members use to ensure secure coding and design, including the use of threat modeling, sandboxing, input and output validation and more. One of the essential practices recommended is the use of static analysis tools.
“Static code analysis tools can help to ensure coding mistakes are caught and corrected as soon as possible,” the report noted. “Tools that integrate with development environments are usually considered easier to use and often lead to faster bug resolution; they also help get developers used to identifying security defects as they develop code and before they check in.”
In an advisory post to the government’s National Institute of Standards and Technology, SAFECode recommended organizations consider these practices as a baseline and also endorsed the use of industry coding standards such as ISO 27034. As support for and guidance on secure development practices continues to emerge from industry experts, developers may want to take note.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.