I attended the announcement today at the RSA Conference Europe where Microsoft, Symantec, Juniper, SAP and EMC Corporation launched the SAFECode initiative. SAFECode is an industry initiative founded by the above companies to develop and promote better software assurance practises amongst the world’s developers. Each of the above companies will make available their expertise and experience to introduce methodologies for developers to employ in “ensuring that software functions as intended without introducing vulnerabilities, malicious code, or defects that can bring harm to the end user.”
Anything that promotes better security in the applications and the systems that we use is a welcome move. Microsoft has done a lot of work in this area with the Trusted Computering initiative (see previous Blog post) which is demonstrated in Vista being their most secure operating system to date. So others building on this experience and expertise will hopefully bring dividends to us all.
However, this is not the first initiative that has been launched in recent years to promote more secure software development. There is of course the excellent Open Web Application Security Project (OWASP) which is an open community initiative, the SANS Institute has its Security Software Institute and the US Department of Homeland Security and CERT launched their Build Security In initiative.
SAFECode claims it will work with these other organisations to help better develop best practise guidelines and also say that being an industry led initiative will help promote better software assurance.
The cynics amongst you may say this is just another initiatives by software companies to pay lip service to software security and that the recent House of Lords report on Personal Internet Security calling for software vendors to be liable for the bugs in their code may also have been a driver for this.
I think any initiative which enables companies to share best practise and expertise is a welcome move. The criminals are now moving away from attacking the operating system layer and now moving to attacking the applications we use and are actively sharing information on how to exploit vulnerabilities and attack our systems. So it is about time we shared information on how to protect our systems. Lets see what SAFECode delivers within the next few months and hopefully they can prove the cynics wrong.