BSA releases new Software Security Framework to guide developers
BSA / The Software Alliance, the leading advocate for the global software industry that represents companies such as Apple, Microsoft, IBM, Salesforce and more, has released a Framework for Secure Software. The framework is a first-of-its-kind tool that brings together best practices for IT leadership and developers on how best to secure software throughout the development process.
It is intended that software development organizations will find the framework a useful tool for:
- Development process guidance
- Training and awareness
- Tracking and assessment
- Vendor relations
- Public security narrative
In announcing the release, BSA executives said they hope that this framework will encourage the development of guidelines (from both the public and private sector) and should be used by software development companies as a complement to existing organizational risk management processes related to IoT, SaaS, and AI.
Information Management spoke with Tommy Ross, BSA’s cybersecurity expert, about the new Framework and how it will impact software development.
Information Management: BSA| The Software Alliance has just released its Framework for Secure Software. Please tell us what the framework basically involves.
Tommy Ross: The BSA Software Security Framework is a first-of-its-kind tool for understanding and assessing security of software products and services using a risk-based, outcome-focused methodology that applies broadly to diverse types of software, software development processes and coding languages. It fills a significant gap in cybersecurity policy, given that there are currently no widely recognized, detailed standards, benchmarks, or policies articulating security baselines for broad classes of software products and services.
The Framework, building on the foundation of the NIST Framework for Enhancing Critical Infrastructure Cybersecurity, outlines priority security outcomes across the software development lifecycle organized according to functions, categories, and subcategories. The Framework also includes diagnostic statements, which are intended to translate security guidance at the category and subcategory level into specific, measurable statements that are detailed enough to provide meaningful guidance to software developers, cybersecurity professionals, and other key stakeholders.
IM: What was the motivation behind developing this new framework?
Ross: Software-based cyber threats are on the rise; according to Symantec, software supply chain attacks rose 150 percent between 2016 and 2017 and another 78 percent through 2018. Damages inflicted by cyberattacks can cost the global economy billions of dollars and imperil our critical infrastructure.
Beyond helping to confront this growing threat, this new Framework is particularly timely because of the rapidly evolving global policy environment relating to software security. The European Union, as well as individual national governments, are taking steps to develop a “Software Duty of Care” that may set standards used to hold software developers liable for security flaws; other nations, such as China, are developing software security standards that may ultimately be required of software developers.
The U.S. National Institute for Standards and Technology (NIST) is crafting a publication outlining Secure Software Development Lifecycle best practices. All of these efforts are in their infancy, and many could create significant consequences for the global software industry. The new Framework, as the first fully developed software security framework, will be a useful tool to shape these policy efforts based on best practices developed from within the software industry.
IM: Does this expand on or replace a prior software standards tool, or work in conjunction with something organizations are probably already using?
Ross: Currently, no detailed, measurable benchmark exists to assess the security of a software product or service. Several national and international standards describe specific attributes of software security, such as identity management or encryption, and best practice literature describes secure development lifecycle practices and other relevant security techniques.
No existing benchmark, however, provides a holistic treatment of software security considerations, including relating to the processes of developing and maintaining software throughout its lifecycle and to specific security capabilities of a product or service.
The BSA Framework fills this gap, while aligning with existing best practice literature and other informative resources wherever they exist. In particular, the Framework is aligned with ISO/IEC 27034 as well as popular guidance documents like the Building Security In Maturity Model (BSIMM) and the Software Assurance Maturity Model (SAMM).
IM: Who is the framework targeted to and to do what?
Ross: The framework has three main audiences: software development organizations, their customers, and policymakers.
For organizations developing and selling software, it provides a tool to help them design their secure software development lifecycles, communicate guidance to key personnel, and assess and validate their products and services.
It also provides a tool to enable customers to better understand the security profile of products and services they are considering for purchase, and to make smarter decisions about purchasing secure software.
Finally, it can help policymakers engage in more sophisticated discussions with software development organizations and their government customers to assess risk, guide investments, and advance security throughout the software ecosystem.
IM: How does the framework relate to development process guidance?
Ross: Process guidance is captured throughout the framework. Of the framework’s three functions – secure development, secure capabilities, and secure lifecycle – the first and third functions aim to describe specific elements critical to any secure software development lifecycle process, including coding and project management as a product or service is developed for the market, as well as vulnerability management and other considerations after the product or service is deployed.
IM: How does the framework relate to training and awareness?
Ross: We believe the Framework offers a foundation for training stakeholders in a variety of roles involved in the development, management, and use of software.
In addition to providing detailed guidance on security considerations throughout the software development lifecycle, the Framework aligns each diagnostic statement with relevant internationally recognized standards, best practice literature, and entries in the Common Weakness Enumeration (CWE) system. This alignment points readers to established sources for more information on the weaknesses each diagnostic statement seeks to prevent, risks associated with those weaknesses, and technical approaches to mitigating them.
IM: How does the framework relate to tracking and assessment?
Ross: The Framework intersects with tracking and assessment in two ways.
First, it incorporates guidance to software development organizations encouraging the use of tracking and assessment tools and processes, including change management, security gateways, security testing, and vulnerability management.
Second, it provides a series of specific, measurable diagnostic statements throughout the software development lifecycle that can be used to track and assess security considerations from the initial conception of a software project through its completion and deployment.
IM: How does the framework relate to vendor relations?
Ross: One of the challenges that BSA’s members and other software developers have faced is that customers are increasingly hungry for detailed information about software security but lack sophisticated tools for obtaining that information. Software vendors often receive long, detailed security questionnaires from potential customers, but they can create substantial burden on product security teams without necessarily providing verifiable assurance in the product or service’s security to the customer.
Our framework has the potential to revolutionize customer-vendor relations by providing a robust, actionable, common tool to describe the security profile of a software product or service in a way that can provide customers true confidence in the software without overburdening vendors. It can shorten sales cycles and empower customers to make smarter decisions on buying secure software.
IM: How does the framework relate to public security narrative?
Ross: The Framework reinforces the importance of software security, often a neglected element of cybersecurity, and provides stakeholders a way to advance informed discussion of relevant security practices and outcomes. It can advance public discourse about security by serving to highlight how important it is for software users to be attentive to the sources of their software and the measures that developers of their software have put in place to secure it.
IM: What is the most important thing that Information Management readers should know about the new framework?
Ross: Information Management readers should understand that, as software increasingly powers our lives, software security will increasingly be the focus of policymakers, and we need tools like the BSA Framework to ensure that policymakers can approach software security with the sophistication and nuance necessary to avoid disrupting innovation.
The potential of the BSA Framework lies in its ability to communicate meaningful information about security outcomes that are most important to software assurance in a way that is flexible, accounts for risk, and applies across the ever-expanding diversity of software products and services. Importantly, your readers should know that the Framework is intended as a living document, an opening to the conversation rather than the final word, and their feedback would be most welcome.