Software is powering much of the world today, from the largest computing machines to the smallest devices that can fit on a computer chip. That means there is a greater opportunity than ever for security breaches. As any end user knows, even the highest quality software can come with vulnerabilities.
The risk of breaches and data theft becomes even greater as more and more devices and sensors are connected via the Internet of Things (IoT) and edge computing. These smart, connected things can represent entry points for a variety of attackers. Add in IT elements such as mobile end-user devices, artificial intelligence (AI) and machine learning, advanced analytics, blockchain, etc., and there are countless ways in which software can become a weak link in the security chain.
Fortunately, efforts are underway to bolster the security of software. One example is a new framework for secure software recently developed by BSA—The Software Alliance, a leading advocate organization for the global software industry.
“Developments over the last several years have resulted in the dramatic expansion of software-powered capabilities, from traditional computers and industrial control systems into diverse personal devices, widely deployed sensors, smart appliances, connected vehicles, robotic systems, and beyond,” the association said.
These innovations are driving the creation of a new, connected digital economy and can yield tremendous economic and social benefits, BSA said. But because these technologies also have the potential to create economic, legal, and physical risk, software developers need to build software securely and ensure that it can be securely maintained throughout its lifecycle.
The framework is the first of its kind, BSA said, a “flexible and holistic approach” to guide and assess software security. As malicious actors increasingly target vulnerabilities in software to attack critical networks and systems, software security has emerged as an urgent priority, the organization said in announcing the framework.
Software developers, end users, and policymakers need tools to describe, assess, and encourage security across the entire software lifecycle, from development to end of life, BSA said. While standards and guidelines are available to aid and inform developers in achieving these goals, there has been no consolidated framework that brings together best practices in a way that can be effectively measured, regardless of the development environment or the purpose of the software, BSA said.
Now, apparently, there is. The BSA Framework for Secure Software is designed to address complex security challenges through an adaptable approach that is risk-based, cost-effective, and repeatable, the alliance said. The framework describes baseline security outcomes across the software development process, the software lifecycle management process, and the security capabilities of the software itself.
The intent of the framework is to provide the entire software industry with a comprehensive, adaptable, and relevant model for software security. By adopting a flexible, outcome-focused approach rooted in industry best practices and international standards, BSA said, the framework is structured to be applicable to the entire spectrum of software development organizations and vendors; software development methods; and software products.
To effectively secure the digital ecosystem, organizations need a way to evaluate software security that’s effective enough to protect software against malicious exploitation and flexible enough to consider all of software’s nuanced types and characteristics, noted Victoria Espinel, president and CEO of BSA—The Software Alliance.
“Otherwise we risk disrupting innovation or failing to keep pace with rising cyber security threats,” Espinel said.
The framework is intended to help software development organizations describe the current state of software security in individual software products; describe the target state of the software security in individual software products; identify and prioritize opportunities for improvement in development and lifecycle management processes; assess progress toward the target state; and communicate among internal and external stakeholders about software security and security risks.
The model is also designed to be relevant to all types of software, BSA said, from installed programs to cloud-based software-as-a-service (SaaS) offerings. It also is meant to apply to all types of development processes, from waterfall to DevOps, and to consider both the process by which a software development organization develops and manages software products, and the security capabilities of those products.
“It is intended to complement, rather than replace, guidance for organizational risk management processes,” the organization said. “To the greatest extent possible, it seeks alignment with recognized international standards and to remain flexible, adaptable, outcome-focused, and risk-based.”
With innovations continuing to drive the rapid evolution of software practices, the organization said, the framework will act as a living document to be updated and improved based on ongoing feedback and technical developments.
“As software becomes increasingly central to our lives, making it secure and reliable becomes ever more critical in the face of an evolving and expansive cyber security threat landscape,” BSA said.