Posts Tagged ‘Microsoft’

Assessing the Security of Acquired Software: One size does not fit all!

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

The following post was co-authored with Steve Lipner from Microsoft and originally posted on the SAFECode blog.

Customers frequently ask all software developers – including SAFECode members – how they can be confident in the security of the software they acquire. We are well aware that acquired software can introduce new vulnerabilities into IT environments and that risk managers need a method for assessing the security of the IT products they procure and the impact those products may have on the organization’s risk posture. (more…)

Secure Software is Getting High Level Attention

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

On May 15th and 16th in Washington, D.C. hundreds of secure software practitioners gathered for the first Security Development Conference organized by Microsoft. What made this conference unique was not so much the focus on secure software practices as it was the quality of the speakers and of the attendees.

(more…)

Happy Anniversary to Microsoft Trustworthy Computing Initiative

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

Ten years ago this month, Bill Gates issued a memo to all Microsoft employees announcing the Trustworthy Computing Initiative. Development was halted for several weeks to review code and to train Microsoft software engineers on security. This memo was later followed by the publication of Microsoft’s Security Development Lifecycle, as well as the release of multiple security tools. Michael Howard from Microsoft recently provided in a blog post an insider view of this anniversary. Let me share with you my views on the impact of Microsoft’s security push on EMC and on the industry as a whole.

(more…)

Secure Software Development Practices: Make Room on your Bookshelf

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

When I started EMC’s product security initiative more than eight years ago, useful information on the topic was scarce and my technical bookshelf was limited to “Writing Secure Code” by Microsoft’s Michael Howard and David LeBlanc, some work form Cigital’s Gary McGraw and an interview of Oracle’s MaryAnn Davidson.

A lot of work has been published since and anyone with the mission to start a software security initiative in a technology company today is overwhelmed with the amount of resources available. However, little information has been published on what works and on the most effective secure software development practices used by the more mature organizations.

Since 2007, under the SAFECode umbrella, EMC and other technology leaders have collaborated to accelerate the adoption of secure software development practices in the industry by publishing reports on practices that have proven to work for SAFECode members. Earlier this week, SAFECode released a very useful and actionable guide for improving software security entitled “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today.” It details secure software development practices that have shown to be effective among SAFECode members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Microsoft Corp., Nokia, SAP AG and Symantec Corp.

The 50+ page report is a critical milestone in SAFECode’s mission of encouraging the industry-wide adoption of what SAFECode believes to be the most fundamental secure development methods. It outlines the individual software security efforts of SAFECode members, but, rather than creating an endless inventory, it provides a consensus view of the SAFECode members of effective practices in critical areas of secure software development:

  • Secure design principles
  • Secure coding practices
  • Testing recommendation
  • Technology recommendation

My bookshelf is now much more crowded than it was in 2003, but I will make sure that this report will hold a premium spot on it. I recommend it to anybody involved in developing software or in rolling-out a software security program. Let me know if you find a good spot on your bookshelf for this report.