New report outlines best practices for secure development

analysis

Oct 8, 20081 min

A new, free 22-page report from SAFECode discussses best practices across the secure development lifecycle in a pithy, pragmatic way.

A new 22-page report, “Fundamental Practices for Secure Software Development: A Guide to the Most Effective Secure Development Practices in Use Today,” has just been released by SAFECode, an industry-led association focused on advancing software assurance. The report, available for free as a PDF at SAFECode’s Web site, was written by Michael Howard of Microsoft and 15 coauthors from EMC, Juniper, Microsoft, Nokia, SAP, and Symantec.

I’ve been through this report, and I’m impressed at how much good content and good references has been crammed into such a short paper. The paper:

“describes each identified security practice across the software development lifecycle – Requirements, Design, Programming, Testing, Code Handling and Documentation – and offers implementation advice based on the experiences of SAFECode members. The secure development practices defined in the paper are as diverse as the SAFECode membership, spanning web-based, shrink-wrapped and database applications, as well as operating systems and embedded systems.”

If you’re involved in software development at all, this paper is at least worth skimming.

Software Development

by Martin Heller

Contributing Writer

Follow Martin Heller on X

Martin Heller is a contributing writer at InfoWorld. Formerly a web and Windows programming consultant, he developed databases, software, and websites from his office in Andover, Massachusetts, from 1986 to 2010. From 2010 to August of 2012, Martin was vice president of technology and education at Alpha Software. From March 2013 to January 2014, he was chairman of Tubifi, maker of a cloud-based video editor, having previously served as CEO.

Martin is the author or co-author of nearly a dozen PC software packages and half a dozen Web applications. He is also the author of several books on Windows programming. As a consultant, Martin has worked with companies of all sizes to design, develop, improve, and/or debug Windows, web, and database applications, and has performed strategic business consulting for high-tech corporations ranging from tiny to Fortune 100 and from local to multinational.

Martin’s specialties include programming languages C++, Python, C#, JavaScript, and SQL, and databases PostgreSQL, MySQL, Microsoft SQL Server, Oracle Database, Google Cloud Spanner, CockroachDB, MongoDB, Cassandra, and Couchbase. He writes about software development, data management, analytics, AI, and machine learning, contributing technology analyses, explainers, how-to articles, and hands-on reviews of software development tools, data platforms, AI models, machine learning libraries, and much more.

Show me more

Topics

About

Policies

Our Network

More

New report outlines best practices for secure development

A new, free 22-page report from SAFECode discussses best practices across the secure development lifecycle in a pithy, pragmatic way.

More from this author

Running agents with Amazon Bedrock AgentCore

Generative AI and the future of databases

AI-assisted software development with Amazon Q Developer

Agentic coding with Google Jules

OpenAI Codex rivals Claude Code

A brief history of AI

Qwen Code is good but not great

Retrieval-augmented generation with Nvidia NeMo Retriever

Show me more

Databricks pitches Lakewatch as a cheaper SIEM — but is it really?

A data trust scoring framework for reliable and responsible AI systems

Rethinking VM data protection in cloud-native environments

How to build desktop apps in Typescript with Electrobun

Write and run assembly in Python with Copapy

Run AI Models Locally on Your PC — No Cloud Required (LM Studio Guide)