IT industry titans including Microsoft and Symantec announced Tuesday at the RSA Conference Europe the formation of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organization solely dedicated to fostering greater trust in information technology products and services by advancing proven software assurance methods.
The group calls itself the first industry-led, worldwide effort to identify and promote practices for developing and delivering more secure and reliable software, hardware and services.
“Software assurance is a critical element of IT ecosystem security. By building on the positive work already done in this area by individual firms and encouraging broader adoption of proven best practices for the development and delivery of more secure technology products and services, SAFECode had a unique opportunity to significantly impact the overall security and reliability of the cyber infrastructure,” said Paul Kurtz, executive director of SAFECode.
“With the support of its founding members, SAFECode will work to meet the growing demand for information and dialog on software assurance and increase the trust in IT and communications products and services,” he continued.
Band of IT Brothers
As technology has advanced and dependence on information and communication technologies has increased around the world, concern among users has steadily increased regarding the integrity, security and reliability of software, hardware and services. Of particular concern are those systems used by government, critical infrastructure and enterprise sectors, the group said.
In response, IT companies like EMC, Juniper Networks and SAP, along with Microsoft and Symantec, came together to help reduce IT vulnerabilities, improve resistance to attack, and protect supply chain integrity at a time when threats from an increasingly complex and dynamic environment have never been greater, SAFECode said.
To aid the industry in achieving these goals and to strengthen the security of the IT ecosystem, these key stakeholders have set aside their rivalries to come together and form SAFECode in an attempt to “advance software assurance by developing and promoting a set of methods for secure product development and integrity controls that protect software, hardware and services across the global supply chain,” according to the group.
While individual companies have put into place effective methods for developing and delivering an environment that offers more secure and reliable software, hardware and services, the group noted, there has been no coordinated industry-wide and industry-led effort to capitalize upon “this positive work and promote best practices to advance software assurance more broadly.”
Lofty objectives aside, on a practical level, SAFECode intends to bring experts together to identify and share tried and true vendor software assurance practices and promote broader adoption within the “cyber ecosystem.” It will also work with governments and critical infrastructure providers to take advantage of vendor practices to manage enterprise risks.
In addition, SAFECode plans to assemble an advisory panel of government leaders and critical infrastructure operators from around the globe to foster a better understanding the software assurance challenges and respond to key issues.
The consortium will take its message to universities to promote essential curriculum changes necessary to support the cyber ecosystem. SAFECode also hopes to act as a catalyst for action on key research and development initiatives in the area of software assurance.
‘Only Time Can Tell’
The forum’s mission to fundamentally improve software products and the trust the customers have in them is a big step in the right direction for the industry, Rob Ayoub, a Frost & Sullivan analyst, told the E-Commerce Times.
“One of the biggest challenges in security is that it is often bolted on as an afterthought instead of being backed in from the start,” he explained.
Many of the founding five companies have spent years competing against one another; however, we will have to wait and see whether their corporate egos get in the way and how effective the group will be, Ayoub said.
“Chemistry is a key variable, and only time can tell, but if security really is the key focus they should be able to rise above trivial issues such as ego,” he continued.
If SAFECode is able to achieve its goals, the benefit to will be a heightened security awareness among end-users, Ayoub stated. It will be easier for casual users to grasp the significance of a seal-of-approval and be attracted to it than it is for them to follow security forums and news. That greater understanding is critical to preventing the spread of so-called zombie computers and botnets.
“Since this is not really a standards body, the ability to enforce any standards is going to be a challenge,” Ayoub pointed out when asked about a possible downside. “While this group can make great recommendations, it only takes one vendor to not cooperate to make a bad impression for the group.
“There is much more that [SAFECode] could do, and I would like to see [it] evolve these potential capabilities,” Ayoub said. “For example because they are such giants in the industry, there is a great deal of pressure that they can put on the industry to meet a higher level of standards. And because they are also vendors, these standards would be appropriate and realistic.
“[Developing] a seal of approval for software products can promote security awareness among consumers while also increasing the visibility of the SAFECode organization,” he concluded.