Professional Documents
Culture Documents
Secure Coding
Secure Coding
software
Greene, Tim . Networks Asia ; Newton (Nov 26, 2015): n/a.
RESUMEN
To come up with those questions, SAFECode polled its members - which include Adobe Systems, CA Technologies,
EMC, Intel, Microsoft, SAP, Siemens and Symantec - for the types of documentation they offer customers. The
main standard, ISO 27034, is available for vendors to comply with, but so far there is no third-party review process
to verify that they actually meet the standard, says Howard Schmidt, executive director of SAFECode and former
cybersecurity advisor to the White House under President Obama.
TEXTO COMPLETO
It's hard to figure out how secure software is but the Software Assurance Forum for Excellence in Code
(SAFECode) has issued guidelines to make it easier, especially for businesses trying to decide which products to
buy.
The industry group published a white paper, "Principles for Software Assurance Assessment", that recommends
questions corporate software buyers should ask their suppliers beforehand so they wind up with products less
likely to be riddled with security flaws.
One of the big problems these buyers may face is that they don't know the relevant questions to ask, says Eric
Baize, SAFECode chairman and Senior Director, Product Security and Trusted Engineering for EMC.
To come up with those questions, SAFECode polled its members - which include Adobe Systems, CA Technologies,
EMC, Intel, Microsoft, SAP, Siemens and Symantec - for the types of documentation they offer customers. It also
asked prominent businesses that buy software what they find useful to ask and information they find useful to
receive from the vendors, the paper says.
The concerns raised by customers and suppliers reveal that they often aren't on the same page even though they
both want the same thing - assurance that software is secure and reliable.
For example, customers say they need to understand whether a software vendor has a secure development
process and whether it was applied to the product they are considering buying.
At the same time, software vendors say there is no agreement on what specifically customers should ask for, and
that some of what they do ask for doesn't' actually line up with real-world secure development practices, the paper
says.
On the side of customers, SAFECode recommends first figuring out what kind of vendor they are dealing with.
Some don't have well established software assurance programs or won't say what their assurance process is.
Others have well-developed programs that are based on standards. Still others have sound processes but that
aren't based on international standards.
For the first group, SAFECode recommends using assessment tools such as binary-code analysis. For the second,
document that they meet the standards they say they do.
For the third group, the paper recommends getting the answers to how vendors test and improve the security of
their products and how they measure those factors. They should ask whether developers are required to train in
DETALLES
Páginas: n/a
Copyright de la base de datos 2020 ProQuest LLC. Reservados todos los derechos.