The industry group published a white paper, “Principles for Software Assurance Assessment”, that recommends questions corporate software buyers should ask their suppliers beforehand so they wind up with products less likely to be riddled with security flaws.
One of the big problems these buyers may face is that they don’t know the relevant questions to ask, says Eric Baize, SAFECode chairman and Senior Director, Product Security and Trusted Engineering for EMC.
To come up with those questions, SAFECode polled its members – which include Adobe Systems, CA Technologies, EMC, Intel, Microsoft, SAP, Siemens and Symantec – for the types of documentation they offer customers. It also asked prominent businesses that buy software what they find useful to ask and information they find useful to receive from the vendors, the paper says.
The concerns raised by customers and suppliers reveal that they often aren’t on the same page even though they both want the same thing – assurance that software is secure and reliable.
For example, customers say they need to understand whether a software vendor has a secure development process and whether it was applied to the product they are considering buying.
At the same time, software vendors say there is no agreement on what specifically customers should ask for, and that some of what they do ask for doesn’t’ actually line up with real-world secure development practices, the paper says.
On the side of customers, SAFECode recommends first figuring out what kind of vendor they are dealing with. Some don’t have well established software assurance programs or won’t say what their assurance process is. Others have well-developed programs that are based on standards. Still others have sound processes but that aren’t based on international standards.
For the first group, SAFECode recommends using assessment tools such as binary-code analysis. For the second, document that they meet the standards they say they do.
For the third group, the paper recommends getting the answers to how vendors test and improve the security of their products and how they measure those factors. They should ask whether developers are required to train in software security practices and whether the security of their work is reviewed and approved by managers.
Vendors should demonstrate they employ a formal process for fixing vulnerabilities they find and that they collaborate with customers to fix flaws found after sale of products.
One problem is that the relevant standards are still developing and may not be approved for years yet, Baize says.
The main standard, ISO 27034, is available for vendors to comply with, but so far there is no third-party review process to verify that they actually meet the standard, says Howard Schmidt, executive director of SAFECode and former cybersecurity advisor to the White House under President Obama.
“Today it’s a Wild West,” he says. “There’s a huge burden on suppliers. Buyers aren’t always looking at the right thing.”