Ages ago, a few companies founded SAFECode â€“ an organization to help improve security in development. In a lot of cases, they really publish interesting work which can be leveraged by organizations.
Steve Lipner (one of the developers of the Security Development Lifecycle at Microsoft) and Eric Baze, EMC just published an interesting post on Assessing the Security of Acquired Software: One size does not fit all! â€“ it is worth reading.
However, in my world they cover only half of the story. One is how we can manage the risks of introducing faulty software into our environment â€“ a risk definitely worth looking at and managing. However, if I look at my management and my stakeholders (and my risk exposure) we are all at least as interested in how I can manage the risk of an organization deliberately compromising my supply chain. It is not only about NSA compromising routers or software â€“ it goes broader than that. Most software and hardware is either developed in the US or in Asia and manufactured either in the US or in Asia. I guess there are a lot of interested parties in these geographical areas (as they are in the rest of the world). On the contractual side you can do a lot â€“ and we do with a lot of success but in these cases a contract does not really help.
We are currently applying different methods to try to find such vulnerabilities but what can we really do? I mean “really” in the sense of efficiency and with a reasonable cost/benefit?
- Building Secure Cloud Apps: CSA, SAFECode Provide Guidance (eweek.com)
- SAFECode Releases Software Security Guidance for Agile Practitioners – Podcast #238 (blogs.rsa.com)
- SAFECode Releases Agile Security Guidance (darkreading.com)