BALTIMORE, MD. Industry officials laid out the structure of a “framework” for secure software development that is based off the National Institute of Standards and Technology’s framework of cybersecurity standards on Wednesday, saying it will be “universally applicable” to all types of software.
“What we are trying to do at BSA is build upon our position of representing all these great enterprise software companies that pioneer secure development lifecycle, learn from their experiences, draw upon their best practices, and capture them in a framework that brings together how they are integrating security in every stage of software development and maintenance, but also look at the concerns of policy developers and consumers that are looking for that around software security,” Tommy Ross, senior director of policy for BSA|The Software Alliance, said at a session on secure software at NIST’s “Cybersecurity Risk Management Conference” here.
Ross described the framework as “notional,” telling Inside Cybersecurity after the panel that he and other partners on the software framework are “sprinting” to publish a draft by “the first quarter of next year.”
“Where we are is at a point of filling in the empty boxes, pieces of the framework where we are continuing to wrestle with, it’s not quite ready for prime time,” Ross said during the session. “We divided it into functions, categories, subcategories, we’ve added the diagnostic statement…and basically what we are trying to do is build out from the highest level of detail down to diagnostic statements that are meant to be specific, measurable, to determine whether the software is meeting this particular benchmark.”
The framework will feature three “functions”; secure development, secure capabilities, and secure lifecycle. Within each function are multiple categories, with secure development including secure coding, testing and verification, process and documentation, supply chain, and tool chain. The secure capabilities functions include categories on support for identity and access management, patchability, encryption, authorization and access controls, logging, and secure failure. Lastly, the secure lifecycle function includes categories around vulnerability management and configuration.
“Our intent here is to fill in those blanks with diagnostic statements that achieve a level of detail that are detailed enough to be meaningful, but also retain flexibility for developers to use different coding languages, adopt different technical approaches, based on risk, based on threat modeling, and understanding the attack surface of their software,” Ross said. “It is technology neutral, it does not demand that any specific technical approach be adopted to solve a particular challenge, just that the desired outcome for security is obtained. Finally, it is aligned with international standards.”
Angela McKay, the director of Cybersecurity Policy and Strategy for Microsoft, said she hopes that once the framework is “fleshed out,” it will “create flexibility” for those organizations that use it.
“We need to get the basics down, this is a set of organizations working through BSA to help communicate those things that we’ve learned,” McKay said. “We have to get the block and tackle and the basics done.”
Ross added that “our intent with this is it remains a living, breathing process, and we are able to build in best practices as they gain consensus,” including potentially “tailoring this to specific types of software, especially as software grows…we’re trying to get a little bit ahead of the curve now, we are wrestling with establishing benchmarks in places where there is not necessarily raw consensus, supply chain risk management is one.”
Ross emphasized the need to put the basics of the framework “together now” so there is the ability to build on this in the future. -- Maggie Miller (firstname.lastname@example.org)