A revised, industry-crafted framework for software security offers more guidance on addressing supply-chain threats and maps to NIST’s recent work on the topic, according to Tommy Ross of BSA -- The Software Alliance, who said the tool is increasingly important as risks grow and government policymakers reach for solutions that could include regulation.
“There has been a steady uptick in threats to the software supply chain, which has increased the focus on securing the development environment,” Ross, BSA’s senior director for policy, told Inside Cybersecurity. And, he said, NIST in the spring produced “one of the first government-issued software security frameworks in the world,” and BSA wanted to enable “clear-cut conversations” about how the industry group’s framework “lines up with what the U.S. government says.”
The two frameworks are “similar and certainly aligned,” Ross said, noting both are risk- and security outcome-based. “We want to continue the conversation on software security and we’re excited to see NIST in this space.”
The group on Tuesday released version 1.1 of “The BSA Framework for Secure Software: A New Approach to Securing Software Lifecycle.” The first version was issued in April 2019 and Ross noted that the group pledged to make it a living document.
“This updated framework includes crucial changes to strengthen criteria for securing software supply chains and better align with relevant guidance,” BSA said in a statement. “Specifically, the new framework is fully mapped to the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF), providing software developers an accessible tool to implement the SSDF. Moreover, it incorporates more robust guidance on securing development environments to prevent supply chain attacks.”
BSA said, “The Framework is intended to guide development lifecycles for all types of software, from installed programs to Software-as-a-Service, as well as all types of development processes, from waterfall to DevOps. The Framework is a living document and will continue to be updated and improved based on ongoing feedback and technical developments.”
According to BSA, the updated framework is intended to help:
- Software development organizations describe the current state and target state of software security in individual software security products and services;
- Software development organizations identify opportunities for improvement in development and lifecycle management processes, and assess progress toward target states;
- Software developers, vendors, and customers communicate internally and externally about software security; and
- Software customers evaluate and compare the security of individual software products and services.
NIST in April completed a white paper detailing a software framework with a core set of high-level security practices that organizations and developers can follow throughout the software lifecycle.
A working group of the National Telecommunications and Information Administration’s software transparency initiative is developing playbooks to assist organizations in developing their own software bill of materials specific to their business needs. The next full stakeholder meeting in the NTIA “SBOM” initiative is scheduled for Oct. 23.
BSA has been deeply engaged in the NTIA process and strongly supports the NIST work, Ross said, but he also cited emerging steps on software security by “governments around the world, not all of them helpful.” The BSA framework is intended “to provide a tool for outcome-based assessments of cybersecurity,” as an alternative to regulation, Ross said.
Government-mandated controls “are not agile enough to keep up with the constantly evolving state of software,” Ross said. “We want to make sure policymakers have tools that work.” -- Charlie Mitchell (firstname.lastname@example.org)