This is very interesting:
A handful of major information technology companies announced in London today the formation of an industry organization to develop and share best practices for secure software development.
Many companies have internal programs to improve the quality of the code they are producing, but a lack of communication has limited their effectiveness, said former White House cybersecurity adviser Paul Kurtz, executive director at the Software Association Forum for Excellence in Code. SAFEcode will be a nonprofit technical organization that will develop best practices and draw parallels between practices at member companies. Founders also expect to help establish educational programs and curriculum for good coding, Kurtz said.
Founding members are Microsoft, Symantec, EMC, Juniper Networks and SAP.
Where are Sun, IBM, BEA, and Oracle. Do they like secure coding too?
It would be very interesting to see an equivalent initiative from the customer side (who are the lucky recipients who have to pay for all the security vulns created by the above). I know as a consultant there are many large companies struggling with similar secure coding issues exacerbated by outsourcing to some degree, and a lot could be gained by a shared effort. The analyst community like the vendors has more or less Fortune 500s out in the dark, so this may be an area where a half dozen or so motivated security architects and CISOs at Fortune 500s could band together to create a group to help drive change. None of the other big players (analysts, vendors, big consulting firms) seem to be doing it. Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space?