The vendors contributing to the report are SAFECode members who have enjoyed some success in reducing the frequency of attacks against its technology, including EMC Corp., Juniper Networks Inc., SAP AG and Microsoft Corp. But the organization also includes companies that continue to have an uphill climb, most notably Adobe Systems Inc.
Despite its efforts to write more ironclad software, Adobe has taken heavy criticism for the number of vulnerabilities attackers have been able to exploit. In a recent interview with CSO, Adobe security chief Brad Arkin admitted the company has a lot of work to do, but that part of the problem is the wide attack surface that comes with a technology almost everyone uses.
In an interview with CSO last week, SAFECode executive director Paul Kurtz acknowledged that 100 per cent secure code may be impossible to achieve, and that companies will always deal with some level of vulnerability. But, he said, the new report at least offers a roadmap of examples other companies can use to make their own development procedures better than they are now.
“Software assurance is most commonly discussed in terms of security engineering, or in other words, building security into the software as it is being developed,” he said. “But another important aspect of assurance is securing the supply chain processes for software sourcing, development and distribution to protect the integrity of delivered software.”
SAFECode’s latest paper deals specifically with this area and represents the first industry-led effort to identify and analyze the software integrity controls used by software vendors to protect software from the insertion of vulnerabilities as it moves along the global supply chain, he added.
Among the actions worth pursuing to improve security in the supply chain, SAFECode members recommend:
* Vendor contracts that include stronger language on the responsibilities and expectations of vendors and suppliers. “The written agreement must explicitly state the expectations as well as the consequences of any non-compliance with the terms of the agreement,” the report said.
* Vendor technical integrity controls for suppliers that address everything from secure transfer of code, sharing of system and network resources, malware scanning and secure storage.
The report reflects a growing trend in the infosec community that relies less on bolt-on defenses and more on well-written software code.