New group to center on secure software

A handful of major information technology companies announced in London today the formation of an industry organization to develop and share best practices for secure software development.

Many companies have internal programs to improve the quality of the code they are producing, but a lack of communication has limited their effectiveness, said former White House cybersecurity adviser Paul Kurtz, executive director at the Software Association Forum for Excellence in Code. SAFEcode will be a nonprofit technical organization that will develop best practices and draw parallels between practices at member companies. Founders also expect to help establish educational programs and curriculum for good coding, Kurtz said.

Founding members are Microsoft, Symantec, EMC, Juniper Networks and SAP.

The companies began discussing the organization about six months ago. The announcement was made at the RSA Europe security conference in London to emphasize the fact that it will be a global organization, Kurtz said.

Security professionals have complained for years that a major problem in IT security is the quality of the underlying software and have been calling for improvements in the code. Programs developed to stringent standards would produce a higher level of assurance than patching vulnerabilities after the fact can provide. Many companies have taken these complaints seriously and made efforts to improve the quality of their products, but because of the complexity of code, software patches remain a fact of cyberlife.

"This is a process that will be under way for a very long time," Kurtz said. "In fact, it will be continuous."

Reaching the next level of progress will require cooperation among companies and with government and academia, and that is what SAFEcode is intended to enable, Kurtz said.

Kurtz, who left the Cyber Security Industry Alliance at the beginning of the year to join Good Harbor Consulting, said Good Harbor will provide back-room administrative resources for SAFEcode.

The Cyber Security Industry Alliance, another IT industry organization, was a lobbying organization focused on legislative and governmental policy. SAFEcode is strictly a technical organization, Kurtz said. "We do not have the ability to lobby, nor do we want to lobby."

William Jackson writes for Government Computer News, an 1105 Government Information Group publication.