Code integrity, authenticity are part of the development process, SAFECode argues

Dark Reading Staff, Dark Reading

June 15, 2010

1 Min Read

Application security problems don't just occur when developers are writing code -- they can occur as that code is exchanged or distributed, a new report argues.

Sometimes security vulnerabilities are introduced when software makers exchange code -- or when it is sent out to customers, according to "An Overview of Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain" (PDF), a white paper issued today by the Software Assurance Forum for Excellence in Code (SAFECode).

"Most of the studies on software development so far have really looked only at the security issue," says Paul Kurtz, executive director of SAFECode, a nonprofit organization backed by major software vendors. "What we're saying here is that software integrity and authenticity need to be part of the discussion."

The paper outlines software integrity controls used by major software vendors to address the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain.

The controls cover issues ranging from contractual relationships with suppliers, to securing source code repositories, to helping customers confirm the software they receive is not counterfeit. The work builds on SAFECode's previously released "Software Supply Chain Integrity Framework," which defines a taxonomy for describing supply-chain security in the context of software assurance.

The paper also identifies areas that SAFECode believes deserve future industry-led collaboration and study. SAFECode encourages public comment on the paper and will consider feedback collected for future projects.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights