BSA releases framework for secure software

BSA | The Software Alliance has launched its Framework for Secure Software, which it says is aimed at filling one of the most “significant gaps” in cyber security policy. 

The framework is a first-of-its-kind tool, providing recommendations on how best to secure software throughout the development process.

As malicious actors increasingly target vulnerabilities in software to attack critical networks and systems, software security has emerged as an urgent priority, said BSA.

Software developers, their customers, and policymakers need tools to describe, assess and encourage security across the entire software lifecycle, from its development to the end of its life, and although some standards and guidelines exist, said BSA, until now there has been no framework that articulates best practices in a way that can be specifically described and effectively measured across diverse development environments, software types and coding languages.

The new framework tackles complex security challenges through an adaptable and outcome-focused approach that is risk-based, cost-effective and repeatable, said BSA.

The framework is designed to describe baseline security outcomes across the software development process, the software lifecycle management process, and the security capabilities of the software itself.

“BSA’s framework is the first to offer a holistic approach to software security for software companies, their customers, and policymakers,” said Victoria Espinel, president and CEO of BSA | The Software Alliance.

“To secure the digital ecosystem effectively, we need a way to evaluate software security that is meaningful enough to protect software against malicious exploitation, and flexible enough to consider all of software’s nuanced types and characteristics. Otherwise, we risk disrupting innovation or failing to keep pace with rising cyber security threats.”

Past cyber attacks have clearly shown that software vulnerabilities are often the key entry point for attackers, and many in the information security industry consider secure software as essential to the further development of emerging technologies around artificial intelligence (AI), 5G networks and devices making up the internet of things (IoT).

“BSA is to be commended for creating a software security framework that integrates technical, policy, management and risk considerations in a form that will be useful to development organisations across a wide range of sizes and technologies,” said Steve Lipner, executive director of the Software Assurance Forum for Excellence in Code (SAFECode).

“SAFECode and its members are happy to have worked with BSA during the development of the framework and we are very pleased with the end result. We strongly encourage organisations to consider adoption of the framework.”

The Framework for Secure Software is intended to help software development organisations:

• Describe the current state of software security in individual software products.
• Describe the target state of the software security in individual software products.
• Identify and prioritise opportunities for improvement in development and lifecycle management processes.
• Assess progress toward the target state.
• Communicate among internal and external stakeholders about software security and security risks.

BSA said the framework is intended to be relevant to all types of software, from installed programs to software as a service, as well as all types of development processes, from waterfall to DevOps.

As innovations continue to drive rapid evolution of software practices, said BSA, the framework is intended to remain a living document, to be updated and improved based on ongoing feedback and technical developments.