SD Times
From the Editors: Opening up about security
By SD Times Editorial Board
Aug 15, 2010
http://www.sdtimes.com/content/article.aspx?ArticleID=34557&page=1

SD Times
Black Hat conference fields suggestions for software security
By David Worthington
July 28, 2010
http://www.sdtimes.com/content/article.aspx?ArticleID=34518&page=1

SC Magazine
Supply subversion
By Angela Moscaritolo
July 1, 2010
http://www.scmagazineus.com/supply-subversion/article/172654/
Note: Registration is required

SD Times
SAFECode outlines path to complete code integrity
By Katie Serignese
June 28, 2010
http://www.sdtimes.com/SAFECODE_OUTLINES_PATH_TO_COMPLETE_CODE_INTEGRITY/By_Katie_Serignese/About_SAFECODE/34445

Dark Reading
Why Can't Johnny Develop Secure Software?
By Tim Wilson
June 16, 2010
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700320&cid=RSSfeed_DR_News

ThreatPost
New Study Sees Need for Better Software Integrity Controls
By Dennis Fisher
June 14, 2010
http://threatpost.com/en_us/blogs/new-study-sees-need-better-software-integrity-controls-061410?utm_source=Threatpost&utm_medium=Tabs&utm_campaign=Today%27s+Most+Popular

Government Computer News
Software supply chain security is target of industry group best practices
By Bill Jackson
June 14, 2010
http://gcn.com/articles/2010/06/14/safecode-supply-chain.aspx

Dark Reading
New Paper Outlines Potential Vulnerabilities In Software Supply Chain
By Tim Wilson
June 14, 2010
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700096&cid=RSSfeed_DR_News

CSO Magazine
Code Security: SAFECode report highlights best practices
By Bill Brenner
June 14, 2010
http://www.csoonline.com/article/596686/code-security-safecode-report-highlights-best-practices

SC Magazine
SAFECode releases software integrity guidance
By Dan Kaplan
June 14, 2010
http://www.scmagazineus.com/safecode-releases-software-integrity-guidance/article/172477/

ComputerWeekly.com
Software Producers Work Together to Turn the Tide on Cybercrime
June 9, 2010
http://www.computerweekly.com/Articles/2010/06/09/241506/Software-producers-work-together-to-turn-the-tide-on.htm

InformationWeek
Securing the Cyber Supply Chain
November 7, 2009
http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=221600499

NetworkWorld
Cybersecurity Supply Chain Management
October 28, 2009
http://www.networkworld.com/community/node/46844

HELP NET SECURITY
Adobe Joins SAFECode
September 29, 2009
http://www.net-security.org/secworld.php?id=8214

VNU/IT Week (UK)
Industry group tackles software supply chain attacks
July 21, 2009
http://www.v3.co.uk/v3/news/2246464/safecode-moves-reduce-supply

Government Computer News
SAFECode framework addresses software supply chain integrity
July 21, 2009
http://gcn.com/articles/2009/07/21/safecode-framework-software-suppy-chain-integrity.aspx

SC Magazine
Industry group releases software integrity framework
July 21, 2009
http://www.scmagazineus.com/Industry-group-releases-software-integrity-framework/article/140348/

IT Business Edge Blog
Group Addresses Software Supply Chain Attacks
July 22, 2009
http://www.itbusinessedge.com/cm/community/news/sec/blog/group-addresses-software-supply-chain-attacks/?cs=34317

The Security Development Lifecycle Blog
Working with SAFECode to Help Secure the Software Supply Chain
July 22, 2009
http://blogs.msdn.com/sdl/default.aspx

RSA Speaking of Security Blog
Securing the Software Supply Chain – Industry Releases Framework for Addressing Challenges
July 27, 2009
http://www.rsa.com/blog/blog_entry.aspx?id=1497

RSA Conference 365
Podcast: The Software Supply Chain and SAFECode
July 27, 2009
https://365.rsaconference.com/blogs/podcast-series-policy-and-government/2009/07/24/podcast-the-software-supply-chain-and-safecode

Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them
Agreement Will Change How Organizations Buy Software.
January 12, 2009
http://www.sans.org/top25errors/?utm_source=web&utm_medium=text-ad&utm_content=Announcement_Bar_20090111&utm_campaign=Top25&ref=37029

SearchSoftwareQuality.com
Secure software development practices 'not rocket science'
Dec. 3, 2008
http://searchsoftwarequality.techtarget.com/news/article/0,289142,sid92_gci1340940,00.html

ComputerWeekly.com
Industry experts to advise on software assurance
Oct. 29, 2008
http://www.computerweekly.com/Articles/2008/10/29/232959/industry-experts-to-advise-on-software-assurance.htm

InfoWorld
Martin Heller’s Strategic Developer Blog
Oct. 8, 2008
http://weblog.infoworld.com/stratdev/archives/2008/10/new_report_outl.html

SD Times
SAFECode Guide Advises Developers on Secure Practices
Oct.8, 2008
http://www.sdtimes.com/SAFECODE_GUIDE_ADVISES_DEVELOPERS_ON_SECURE_PRACTICES/About_SECURITY_and_SAFECODE/32955

Dr. Dobb’s Journal
SafeCode Releases Guidelines for Secure Code
Oct. 8, 2008
http://www.ddj.com/security/210800440

TMCNet
New Paper Studies Development Practices that Improve Software Security
Oct. 8, 2008
http://sip-trunking.tmcnet.com/topics/security/articles/42233-new-paper-studies-development-practices-that-improve-software.htm

SC Magazine UK Edition
May, 2008
http://www.scmagazine.com/uk/news/article/804392/software-safe-design/
Software: Safe by design
A new industry alliance promises to pave the way for more secure software. Is SAFECode what we've been waiting for?

Government Computer News
Oct. 23, 2007
http://www.gcn.com/online/vol1_no1/45286-1.html
IT industry creates secure coding advocacy group

vnunet.com
Oct. 23, 2007
http://www.vnunet.com/itweek/news/2201841/industry-launches-initiative
Tech industry launches initiative to boost software security
A major new industry initiative could ensure the quality and security of software

SearchSecurity.com
Oct. 23, 2007
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1278401,00.html
Tech vendors team up for secure software development

Dark Reading
Oct. 23, 2007
http://www.darkreading.com/document.asp?doc_id=137004&WT.svl=wire_1
Major Vendors Form SAFECode

eWEEK.com
Oct. 24, 2007
http://www.eweek.com/article2/0,1895,2206100,00.asp
Tech Foes Join Forces for Secure Code

Computerworld (UK)
Oct. 24, 2007
http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=5813
RSA 2007: Software firms to share security best practice
SAFECode is first industry-led shared security effort

FederalNewsRadio -- Daily Debrief with Amy Morris
Oct. 25, 2007
http://www.federalnewsradio.com/?sid=1278706&nid=364
(Radio Interview)
The "Justice League" of IT Security

Silicon.com (UK)
Oct. 24, 2007
http://software.silicon.com/security/0,39024655,39168921,00.htm
Tech giants team up for secure software

Press Release -- Brainstorm 2020 A Vision for Software Security -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703-812-9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

Announcing ‘Brainstorm 2020: A Vision for Software Security’ at Black Hat USA 2010

SAFECode Hosting Community Brainstorm to Gather Forward-Thinking Ideas on How to Improve Software Security

Arlington, Va. - July 8, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, will be hosting ‘Brainstorm 2020: A Vision for Software Security’ on Tuesday, July 27, 2010 from 5:00 p.m. to 6:30 p.m. at the Black Hat USA 2010 conference, Caesars Palace, Las Vegas. This open mic, community-style brainstorm is designed to cultivate a dialogue that will help define a shared vision for software security and identify new, forward-looking approaches to achieving that vision.

SAFECode invites those interested in advancing software security to come to the event and share your thoughts on two key questions:

• What should our vision be for software security in 2020?
• What are your ideas for leap-ahead approaches to advance software security over the next ten years?

Members of SAFECode, who represent the leadership of product security initiatives in some of the world’s largest IT companies, will be on hand to join in the brainstorm and to gather new ideas for future work. Participating SAFECode members include:

• Steve Lipner, Senior Director of Security Engineering Strategy, Microsoft Corporation
• Brad Arkin, Director of Product Security and Privacy, Adobe Systems Incorporated
• Gary Phillips, Senior Director, Standard Tools and Technologies, Symantec Corporation
• Janne Uusilehto, Head of Product Security, Nokia

For more information on the event, please visit http://www.safecode.org/register.php. There is no charge to attend, but registration is required and space is limited, so please register today. If you are unable to attend the event, but would like to share an idea, you may submit your idea online at http://www.safecode.org/register.php.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- Software Integrity Controls -- Download Press Release as pdf

Media Contact:
Stacy Simpson
Policy and Communications Director
SAFECode
703 812 9199
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Releases First Industry-Developed Guidance on Software Integrity Controls

New Report Outlines Assurance-Based Approach to Securing the Software Supply Chain

Arlington, Va. - June 14, 2010 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain.” The new report provides actionable recommendations for minimizing the risk of vulnerabilities being inserted into a software product during its sourcing, development and distribution. The paper was jointly developed by SAFECode’s members, which include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp., and is based upon an analysis of the real-world actions these companies take to secure their supply chain processes.

“Software assurance is most commonly discussed in terms of security engineering, or in other words, building security into the software as it is being developed. However, another important aspect of assurance is securing the supply chain processes for software sourcing, development and distribution to protect the integrity of delivered software,” said Paul Kurtz, executive director of SAFECode. “SAFECode’s latest paper addresses this emerging area of assurance and represents the first industry-led effort to identify and analyze the software integrity controls used by software vendors to protect software from the insertion of vulnerabilities as it moves along the global supply chain.”

The software integrity controls identified in the paper are used by major software vendors to address the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain. The controls aim to preserve the quality of securely developed code by securing the processes used to source, develop, deliver and sustain software. The controls identified in the report cover issues ranging from contractual relationships with suppliers, to securing source code repositories, to helping customers confirm the software they receive is not counterfeit. The work builds upon SAFECode’s previously released “Software Supply Chain Integrity Framework,” which defines a taxonomy for describing supply chain security in the context of software assurance.

“By basing our analysis on the actual practices and controls being used by SAFECode members today, we were able to identify software integrity controls that are not only effective, but also practical, repeatable and verifiable,” said Gunter Bitz, Head of Product Security Governance at SAP and a key contributor to the report. “We believe that broad industry adoption of software integrity controls can greatly improve customer confidence in IT systems. To help achieve this goal, SAFECode encourages other producers and distributors of software to tailor and adopt these controls into their own supply chain processes, as well as continue future study and analysis on additional methods to improve software integrity.” The paper also identifies areas that SAFECode believes deserve future industry-led collaboration and study. The ideas proposed include improved supplier management and communications along the supply chain, additional research on software testing, and the development of effective strategies for software assurance measurement. To continue the discussion, SAFECode encourages public comment on this paper and will consider feedback collected for future projects. To comment, please visit www.safecode.org.

“Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain” is available for free download at www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Adds Adobe -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

FOR IMMEDIATE RELEASE

SAFECode Adds Adobe as Newest Member

Global Technology Leader Joins Industry-led Software Security and Assurance Effort

Arlington, Va. - Sept 29, 2009 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced Adobe Systems Incorporated as its newest member. SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Adobe joins software industry leaders EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. in SAFECode membership.

“As one of the world’s largest and most diversified software companies, Adobe brings invaluable expertise to SAFECode,” said Paul Kurtz, Executive Director of SAFECode. “We are looking forward to working with Adobe to build upon the positive work it is doing on software security. This collaboration will strengthen our ability to promote the adoption of practical software assurance methods across an increasingly diverse cyber ecosystem.”

As a SAFECode member, Adobe will join with subject matter experts to identify and share proven best practices for software assurance, promote broader adoption of software assurance best practices into the cyber ecosystem, and work with businesses, governments and critical infrastructure providers to leverage these practices to manage enterprise risks. Adobe will take an active role in current SAFECode projects that address secure development methods, software integrity in the global supply chain, and the measurability of software security.

“Adobe recognizes the importance of software assurance and applies security best practices when building products to deliver more secure, trusted and engaging user experiences,” said Brad Arkin, Director, Product Security & Privacy, Adobe and newest SAFECode Board Member. “We look forward to collaborating with SAFECode’s members to further advance software security.”

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include Adobe Systems Incorporated, EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Releases Framework for Software Supply Chain Integrity --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 812 9199
stacy at safecode.org">

FOR IMMEDIATE RELEASE

SAFECode Releases Framework for Software Supply Chain Integrity

New Paper Defines Risks and Responsibilities for Securing Software in the Global Supply Chain

Arlington, Va. - July 21, 2009 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today released “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.” The paper outlines the first industry-driven framework for analyzing and describing the efforts of software suppliers to mitigate the potential that software could be intentionally compromised during its sourcing, development or distribution. The paper was jointly developed by SAFECode’s members, which include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

As the software industry has become increasingly globalized, a concern has risen over the possibility that an IT solution could be compromised by the intentional insertion of malicious code into the solution’s software during its development or maintenance, which is often referred to as a supply chain attack. Though experts have concluded that the supply chain is not the most likely attack vector, vendors are taking action to mitigate supply chain risk by applying software integrity practices - the collection of processes and controls that enable a vendor to deliver customers a product that is uncompromised, thereby containing only what the vendor intends.

“While SAFECode’s members have individually implemented software integrity practices, this is the first time industry has come together to establish a common framework for ensuring the integrity of software through the global supply chain,” said Paul Kurtz, executive director of SAFECode. “This framework will serve as the foundation for subsequent work aimed at identifying and analyzing software integrity best practices and represents a critical step forward in the industry’s efforts to advance software assurance.”

Software assurance is most frequently discussed in the context of ensuring that code itself is more secure through the application of secure software development practices. However, while there has been a growing and appropriate focus on eliminating software vulnerabilities through secure development practices, this represents only one element of software assurance. The processes for sourcing, creating and delivering software must also contain integrity controls to enhance confidence that the software functions as the supplier intended.

Within SAFECode’s software supply chain integrity framework, software supply chain integrity controls address the access, storage and handling of development assets throughout the key links in the software supply chain – supplier sourcing, product development and testing, and product delivery. The controls are designed to be independent of geography, accommodate diverse sources of software components, and extend from a vendor’s suppliers to its customers. Software supply chain integrity practices and controls derive from established security and integrity principles, including:

• Chain of Custody: The confidence that each change and handoff made during the source code’s lifetime is authorized, transparent and verifiable.
• Least Privilege Access: Personnel can access critical data with only the privileges needed to do their jobs.
• Separation of Duties: Personnel cannot unilaterally change data, nor unilaterally control the development process.
• Tamper Resistance and Evidence: Attempts to tamper are obstructed, and when they occur they are evident and reversible.
• Persistent Protection: Critical data is protected in ways that remain effective even if removed from the development location.
• Compliance Management: The success of the protections can be continually and independently confirmed.
• Code Testing and Verification: Methods for code inspection are applied and suspicious code is detected.

SAFECode will build upon this framework for software supply chain integrity with a focused effort to identify and analyze the most effective software integrity controls and practices that its member companies use to help ensure the integrity of their software. It will publish its findings later this year to help extend these practices across the industry and provide customers with additional insight into how to view and evaluate the processes by which software integrity is achieved.

“The complexities and interdependencies of the IT ecosystem require software suppliers to not only be able to demonstrate the security of products they produce, but also evaluate the integrity of products they acquire and use. For this reason, every software supplier has a significant stake in the identification, communication and evaluation of best practices for ensuring software integrity,” said Kurtz. “By promoting the adoption of well-defined software integrity practices across the industry, these efforts should ultimately lead to increased customer confidence in the security of IT solutions.”

A full copy of “The Software Supply Chain Integrity Framework: Defining Risks and Responsibilities for Securing Software in the Global Supply Chain” is available for free download at http://www.safecode.org/publications/SAFECode_Supply_Chain0709.pdf

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Seeks Public Comment on Guide to Secure Development Practices --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 202 262 7057
stacy at safecode.org">

FOR IMMEDIATE RELEASE

SAFECode Seeks Public Comment on Guide to Secure Development Practices

Arlington, Va. and San Francisco (RSA Conference) – April 20, 2009 – The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today issued a call for comments on its “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today."

Originally released in October 2008, the paper outlines a core set of secure development practices that can be applied across diverse development environments to improve software security. Due to the positive response to the paper’s publication, as well as the rapidly evolving information security environment, SAFECode will be releasing an updated version in late 2009. SAFECode is offering experts outside of its membership an opportunity to provide input into the paper’s next version in its continued effort to make the recommendations as useful and relevant as possible.

“SAFECode’s paper on development practices was based on a detailed analysis of the real world experience of its members. Opening the paper to contributions by experts outside of our membership will not only expand our frame of reference, but also enable us to include feedback from those who have worked to put the original paper’s practices into action,” said Paul Kurtz, Executive Director of SAFECode.

The brief and highly actionable paper describes each identified security practice across the software development lifecycle – Requirements, Design, Programming, Testing, Code Handling and Documentation – and offers implementation advice based on the experiences of SAFECode members.

To submit your comments, please visit www.safecode.org. SAFECode will be accepting comments until July 31, 2009.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Send Comments on Development Practices

Press Release -- SAFECode Establishes International Board of Advisors --
Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org">

FOR IMMEDIATE RELEASE

SAFECode Establishes International Board of Advisors

Diverse Group of Information Security Experts will Help Guide SAFECode’s Work to Improve Software Security

Arlington, Va. - Oct. 28, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has established an International Board of Advisors to help guide its efforts to advance software assurance. SAFECode members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp.

SAFECode’s International Board of Advisors is comprised of information technology experts representing government agencies, private-sector organizations and academic institutions from around the world. Its members provide third-party perspective and expertise to advise SAFECode on its efforts to advance secure development practices and promote software assurance

Members of the SAFECode International Board of Advisors include:

• William C. Barker, Chief Cyber Security Advisor, National Institute of Standards and Technology
• Matt Bishop, Professor, Department of Computer Science, University of California, Davis
• Dr. Paul Dorey, Director, CSO Confidential & Chairman of the Institute of Information Security Professionals
• Claudia Eckert, Professor, Fraunhofer Institute for Secure Information Technology
• Zoltán Hornák, Budapest University of Technology and Economics, SEARCH Security Evaluation Analysis and Research Laboratory
• Alan Paller, Director of Research, SANS Institute
• Prof. Dr. Joachim Posegga, Chair of IT-Security, Institute for IT Security and Security Law (ISL), University of Passau
• Juha Röning, Professor, University of Oulu (Finland)
• Reijo Savola, Network and Information Security Research Coordinator, VTT Technical Research Centre of Finland
• Dan S. Wallach, Associate Professor, Department of Computer Science, Rice University (Houston, Texas)

"SAFECode has brought together this group of renowned information security experts to help guide and inform our efforts to improve the security and integrity of software,” said Paul Kurtz, executive director of SAFECode. “We share a common belief that software assurance plays a vital role in strengthening the security of our information infrastructure and we are thrilled to have the opportunity to leverage the diverse expertise and insight of this board of advisors as we work to advance secure software development."

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. SAFECode is a global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. Its members include EMC Corporation, Juniper Networks, Inc., Microsoft Corp., Nokia, SAP AG and Symantec Corp. For more information, please visit www.safecode.org.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Adds Nokia -- Download Press Release as pdf

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org">

FOR IMMEDIATE RELEASE

SAFECode Adds Nokia as Newest Member

Global leader in mobile technology joins industry-led effort to advance software assurance

Arlington, Va. - March 31, 2008 - The Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods, today announced that it has added Nokia as its newest member. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

"As the global leader in mobile technology, Nokia brings invaluable expertise to SAFECode's efforts," said Paul Kurtz, executive director of SAFECode. "Software underpins the communications and mobile computing infrastructures we've come to rely on in so many ways. SAFECode is thrilled to have the opportunity to work with Nokia to build on the positive work the company has already done to promote assurance best practices across the mobile technology ecosystem."

As a SAFECode member, Nokia will join with subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

"The continuous development of secure technology has always been core to Nokia's commitment to its customers. Participation in SAFECode offers a valuable opportunity to extend our corporate dedication to security and positively influence the security of the communications infrastructure to the benefit of all technology users," said Janne Uusilehto, Head of Nokia Product Security. "We look forward to working with SAFECode's members to promote secure software development practices."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. For more information, please visit www.safecode.org.

About SAFECode
The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corp., SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

About Nokia
Nokia is the world leader in mobility, driving the transformation and growth of the converging Internet and communications industries. We make a wide range of mobile devices with services and software that enable people to experience music, navigation, video, television, imaging, games, business mobility and more. Developing and growing our offering of consumer Internet services, as well as our enterprise solutions and software, is a key area of focus. We also provide equipment, solutions and services for communications networks through Nokia Siemens Networks.

Product and service names mentioned herein are the trademarks of their respective owners.

###

Press Release -- SAFECode Formed -- Download Press Release as pdf

Leading Technology Companies Form Industry Group to Advance Software Assurance

SAFECode to promote best practices for the delivery of more secure and reliable software, hardware and services

Paul Kurtz named executive director

Arlington, VA. and London (RSA Conference Europe) -- Oct. 23, 2007 -- A group of leading information and communications technology companies today announced the formation of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization exclusively dedicated to increasing trust in information technology (IT) products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG, and Symantec Corp., SAFECode is the first global, industry-led effort to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services.

As the global dependence on information and communications technology has grown, users have become increasingly concerned over the integrity, security and reliability of software, hardware and services, especially those in the government, critical infrastructure and enterprise sectors. The need to reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity has never been more important than in today's increasingly complex and dynamic threat environment. To help achieve these objectives and strengthen the security of the IT ecosystem, SAFECode unites key stakeholders in an effort to advance software assurance by developing and promoting a set of methods for secure product development and integrity controls that protect software, hardware and services across the global supply chain.

While individual companies have implemented effective methods for developing and delivering more secure and reliable software, hardware and services, there has been no coordinated, industry-led effort to build upon this positive work and promote best practices to advance software assurance more broadly. SAFECode fills this critical gap by bringing together subject matter experts to identify and share proven vendor software assurance practices, promote broader adoption of such practices into the cyber ecosystem, and work with governments and critical infrastructure providers to leverage vendor practices to manage enterprise risks.

• Increase understanding of the secure development methods and integrity controls used by vendors
• Promote proven software assurance practices among vendors and customers to foster a more trusted ecosystem
• Identify opportunities to leverage vendor software assurance practices to better manage enterprise risks
• Foster essential university curriculum changes needed to support the cyber ecosystem
• Catalyze action on key research and development initiatives in the area of software assurance

To help SAFECode achieve its objectives, the organization has named Paul Kurtz, a recognized cyber security expert, as its executive director. Currently a partner at Good Harbor Consulting LLC, Kurtz most recently served as the founding executive director of the Cyber Security Industry Alliance (CSIA). Prior to CSIA, he served in senior positions on the White House's National Security and Homeland Security Councils under Presidents Clinton and Bush.

"Software assurance is a critical element of IT ecosystem security. By building on the positive work already done in this area by individual firms and encouraging broader adoption of proven best practices for the development and delivery of more secure technology products and services, SAFECode has a unique opportunity to significantly impact the overall security and reliability of the cyber infrastructure," said Paul Kurtz, executive director of SAFECode. "With the support of its founding members, SAFECode will work to meet the growing demand for information and dialogue on software assurance and increase the trust in IT and communications products and services."

Membership in SAFECode is open to information and communications technology vendors with significant global business activity in IT technology products such as hardware, software and services who have demonstrated a commitment and dedicated resources to software assurance. In addition, SAFECode will be assembling an advisory of government leaders and critical infrastructure operators from around the globe to better understand and respond to key software assurance challenges.

About SAFECode The Software Assurance Forum for Excellence in Code (SAFECode) is a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of proven software assurance methods. Founded by EMC Corporation, Juniper Networks, Inc., Microsoft Corporation, SAP AG and Symantec Corp., SAFECode works to identify and promote best practices for developing and delivering more secure and reliable software, hardware and services. For more information, please visit www.safecode.org.

Media Contact:
Stacy Simpson
+ 1 703 926 1963
stacy at safecode.org

CSO Magazine Code Security: White House lessons, part 2
June 14, 2010
Paul Kurtz talks with CSO senior editor, Bill Brenner, on software integrity controls paper
http://www.csoonline.com/podcast/596691/code-security-white-house-lessons-part-2

CSO Magazine
Code Security: Lessons from the White House
June 10, 2010
Paul Kurtz discusses code security with CSO senior editor, Bill Brenner
http://www.csoonline.com/podcast/596515/code-security-lessons-from-the-white-house

Federal News Radio
SafeCode: 'The Supply Chain Integrity Framework'
July 30, 2009
http://www.federalnewsradio.com/index.php?nid=56&sid=1727458

Federal Security Radio
May 21, 2009
Paul Kurtz discusses software assurance with Tom Temin on Federal Security Spotlight.
http://www.federalnewsradio.com/index.php?nid=56&sid=1678843

RSA Conference Europe 2008
Oct 26, 2008
Paul Kurtz discusses the issues surrounding product security.
https://365.rsaconference.com/blogs/podcast_series_rsa_conference_europe_2008/2008/10/26/session-preview-with-paul-kurtz
Podcast

WAMU NPR: Cyber Threats
Jun. 25, 2008
Diane Rehm talks with Paul Kurtz, Alan Paller, Stephen Spoonamore, and Congressman Jim Langevin about growing concerns over cyber attacks in the public and private sectors.
http://podcastdownload.npr.org/anon.npr-podcasts/podcast/305/510071/91879571/WAMU_91879571.mp3
51:20 Podcast

IT Week Podcast: RSA Conference Europe
Oct. 25, 2007
This week David Neal talks to Phil Muncaster about the latest news coming from the annual RSA Conference Europe event in London's ExCel.
MP3 (5.6 MB) - http://images.vnunet.com/v7_static/itw/podcasts/IT-Week-Podcast-25-October.mp3
Podcast