The global phenomenon of digital transformation is dramatically shifting the ways businesses operate, the way they engage with customers, and the way in which they develop and deliver new products to address dynamic market shifts. One of the key enablers of digital transformation is software, which is the main reason why secure software development has attracted so much attention lately. Governments, industry organizations, and leading global corporations are racing to define best practices and deliver development and security frameworks that will enable developers to not only keep up with the changing landscape, but to deliver a new class of products and digitized processes that are safe, secure, and efficient.
Organizations like the U.S. National Institute of Standards (NIST), BSA Software Alliance, Industrial Internet Consortium, and a host of others have already published frameworks and best practice documents to help guide secure development efforts. Here is a brief overview of some of the documents that are readily available now and being updated on an ongoing basis:
BSA Framework for Secure Software BSA | The Software Alliance has recently released The BSA Framework for Secure Software, a consolidated framework that brings together best practices in a detailed, yet holistic manner, which can guide software security experts regardless of the development environment or the purpose of the software. The framework offers an outcome-focused, standards-based risk management tool to help stakeholders in the software industry – developers, vendors, customers, policy makers, and others – communicate and evaluate security results associated with specific software products and services. Notably, Version 1.1 of the framework fully maps to the NIST “Secure Software Development Framework,” providing organizations a convenient tool to demonstrate their alignment with this NIST guidance.
NISTSecure Software Development Framework NIST Secure Software Development Framework (SSDF), which is modeled after their Cybersecurity Framework, recommends a core set of high-level secure software development practices that can be integrated within each Software Development Lifecycle (SDLC) implementation. With the exception of the Secure Software Lifecycle (Secure SLC) standard developed by PCI Security Standards Council, few software development lifecycle models explicitly address software security in detail. NIST drafted and shared the SSDF for comment in June 2019 and released an update in April 2020.
Payment Card Industry Software Security Framework The Payment Card Industry (PCI) Software Security Framework (SSC) is a collection of standards and associated certification programs that demonstrate good, consistent security to protect payment data. There are two standards that have been developed as part of this framework and were published in January 2019. The SSC outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The Secure Software Lifecycle (Secure SLC) Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.
Building Security In Maturity Model The Building Security In Maturity Model (BSIMM) is a multi-year study of real-world software security initiatives (SSIs) organized to allow developers to determine where they stand with their software security initiative and how to evolve those efforts over time. BSIMM provides guidance for secure operations (such as penetration testing, software configuration, configuration management, and vulnerability management) during deployment. By quantifying the practices of many different organizations, they can describe the common ground shared by many as well as the variations that make each unique. Because these initiatives use different methodologies and different terminology, the BSIMM requires a framework that can describe any initiative in a uniform way. The software security framework (SSF) and activity descriptions provide a common vocabulary for explaining the salient elements of an SSI, thereby allowing developers to compare initiatives that use different terms, operate at different scales, exist in different parts of the organizational chart, operate in different vertical markets, or create different work products.
Industrial Internet Consortium Industrial Internet Security Framework The evolution of the Internet of Things includes the emergence of smart electrical grids, connected healthcare devices and hospitals, intelligent transportation, smart factories, and other cyber-physical systems. This collection of objects, devices, and sensors connected via software solutions continues to grow into the billions. As a result, enterprises large and small are at risk of being attacked from unexpected sources both inside and outside the system, whether intended or accidental. It represents a major threat to world safety and security. The Industrial Internet Consortium (IIC) believes that addressing this challenge is critical to the success of the Industrial IoT, Industrie 4.0, and the Industrial Internet revolution. To that end, IIC members have developed a common Industrial Internet Security Framework (IISF) and an approach to assess cybersecurity in IIoT systems.
If you are involved in developing products and processes that support digital transformation, or just on the periphery, it is a good plan of action to stay aware of these standardization efforts and make software security an integral part of your development and commercialization routine.
Co-founder of WIBU-SYSTEMS AG, President and CEO of WIBU-SYSTEMS USA
Marcellus Buchheit earned his Master of Science degree in computing science at the University of Karlsruhe, Germany in 1989, the same year in which he co-founded Wibu-Systems. He is well known for designing innovative techniques to protect software against reverse-engineering, tampering, and debugging. He speaks frequently at industry events and is an active member of the Industrial Internet Consortium. He currently serves as the President and CEO of Wibu-Systems USA Inc.