SAFECode: How to ensure you're buying safe

software
Greene, Tim . Networks Asia ; Newton (Nov 26, 2015): n/a.

Enlace de documentos de ProQuest

RESUMEN
 
To come up with those questions, SAFECode polled its members - which include Adobe Systems, CA Technologies,
EMC, Intel, Microsoft, SAP, Siemens and Symantec - for the types of documentation they offer customers. The
main standard, ISO 27034, is available for vendors to comply with, but so far there is no third-party review process
to verify that they actually meet the standard, says Howard Schmidt, executive director of SAFECode and former
cybersecurity advisor to the White House under President Obama.

TEXTO COMPLETO
 
It's hard to figure out how secure software is but the Software Assurance Forum for Excellence in Code
(SAFECode) has issued guidelines to make it easier, especially for businesses trying to decide which products to
buy.
The industry group published a white paper, "Principles for Software Assurance Assessment", that recommends
questions corporate software buyers should ask their suppliers beforehand so they wind up with products less
likely to be riddled with security flaws.
One of the big problems these buyers may face is that they don't know the relevant questions to ask, says Eric
Baize, SAFECode chairman and Senior Director, Product Security and Trusted Engineering for EMC.
To come up with those questions, SAFECode polled its members - which include Adobe Systems, CA Technologies,
EMC, Intel, Microsoft, SAP, Siemens and Symantec - for the types of documentation they offer customers. It also
asked prominent businesses that buy software what they find useful to ask and information they find useful to
receive from the vendors, the paper says.
The concerns raised by customers and suppliers reveal that they often aren't on the same page even though they
both want the same thing - assurance that software is secure and reliable.
For example, customers say they need to understand whether a software vendor has a secure development
process and whether it was applied to the product they are considering buying.
At the same time, software vendors say there is no agreement on what specifically customers should ask for, and
that some of what they do ask for doesn't' actually line up with real-world secure development practices, the paper
says.
On the side of customers, SAFECode recommends first figuring out what kind of vendor they are dealing with.
Some don't have well established software assurance programs or won't say what their assurance process is.
Others have well-developed programs that are based on standards. Still others have sound processes but that
aren't based on international standards.
For the first group, SAFECode recommends using assessment tools such as binary-code analysis. For the second,
document that they meet the standards they say they do.
For the third group, the paper recommends getting the answers to how vendors test and improve the security of
their products and how they measure those factors. They should ask whether developers are required to train in

PDF GENERADO POR SEARCH.PROQUEST.COM Page 1 of 3

software security practices and whether the security of their work is reviewed and approved by managers.
Vendors should demonstrate they employ a formal process for fixing vulnerabilities they find and that they
collaborate with customers to fix flaws found after sale of products.
One problem is that the relevant standards are still developing and may not be approved for years yet, Baize says.
The main standard, ISO 27034, is available for vendors to comply with, but so far there is no third-party review
process to verify that they actually meet the standard, says Howard Schmidt, executive director of SAFECode and
former cybersecurity advisor to the White House under President Obama.
"Today it's a Wild West," he says. "There's a huge burden on suppliers. Buyers aren't always looking at the right
thing."
Credit: By Tim Greene

DETALLES

Materia: Software industry; Licensing; Standards

Título: SAFECode: How to ensure you're buying safe software

Autor: Greene, Tim

Título de publicación: Networks Asia; Newton

Páginas: n/a

Año de publicación: 2015

Fecha de publicación: Nov 26, 2015

Editorial: Questex, LLC

Lugar de publicación: Newton

País de publicación: United States, Newton

Materia de publicación: Computers--Computer Networks

Tipo de fuente: Trade Journals

Idioma de la publicación: English

Tipo de documento: News

ID del documento de 1736481755

ProQuest:

URL del documento: http://www.espaciotv.es:2048/referer/secretcode/docview/1736481755?accountid=

142712

Copyright: Copyright Questex Media Group LLC Nov 26, 2015

Última actualización: 2016-02-04

PDF GENERADO POR SEARCH.PROQUEST.COM Page 2 of 3

 Base de datos: ProQuest Central

Copyright de la base de datos  2020 ProQuest LLC. Reservados todos los derechos.

Términos y condiciones Contactar con ProQuest

PDF GENERADO POR SEARCH.PROQUEST.COM Page 3 of 3