Sitewide
RSS Feed:
|
By: Jon Collins, Managing Director, Freeform Dynamics Published: 12th December 2007 Copyright Freeform Dynamics © 2007 |
It's now six weeks since RSA Europe, when I made a diary note to take a deeper look at the SAFECode forum. SAFECode stands for the Software Assurance Forum for Excellence in Code—we can be profoundly grateful that the founders didn't try to expand out the entire acronym. It also stands for "increasing trust in information technology (IT) products and services through the advancement of proven software assurance methods"; a kind of Green Cross man of the IT world, helping software developers across the highly risky freeways of the technologcal world.
The SAFECode idea is to co-ordinate software best practices across software vendor companies, build in appropriate checks and balances to ensure the resulting applications are secure (or at least, to minimise the risks). Is it necessary? Where there's smoke there's fire, and to be sure, Microsoft is no longer the only target of cyber-attacks. As hackers mature into commercial operators, no longer motivated (just) by "giving it to the man", an ever-widening pool of programs is coming under threat.
In principle, then, SAFECode is a good, worthy and valuable idea. It is by no means guaranteed to succeed, for a number of reasons. Don't get me wrong—of course it will be a good thing to co-ordinate and share best practice. From the point of view of its longer term success there are several howevers, based around:
In summary, then, all initiatives such as SAFECode should be applauded. However, the forum should be judged not on its existence alone, but on its ability to change how applications are written and, ultimately, on whether the risks posed by member applications are reduced. This may seem like a tall order but if SAFECode can't provide some kind of guarantee, then it will be of little use. Not only this, but its currency will very quickly devalue, to the detriment of its founders and the credibility of their products.
We are no longer accepting comments against this item. We suggest contacting the author directly.
Published by: IT Analysis Communications Ltd.
T: +44 (0)1908 880760 | F: +44 (0)1908 880761