A Fresh Look at Secure Software Development

Software-driven innovations are being fueled by the emergence of smart things - devices, automobiles, factories, cities - all of which impact nearly every aspect of our personal lives and businesses. The connected economy offers tremendous economic and social benefits. However, it also introduces an unprecedented level of security risks, from theft of personal data to threats to human lives. While software itself is becoming increasingly complex, the onus is on software developers to build secure applications that can withstand ubiquitous hacking attempts and ensure that it can be securely maintained throughout its lifecycle.

The dangers that lurk within the realm of software security have received global attention, yet it has been difficult for the industry to agree upon a set of best practices and common development standards. Several organizations, including, BSIMM, OWASP, and National Institute of Standards and Technology, have put forth documents outlining their proposals for development standards. On the industrial side, the Industrial Internet Consortium published the Industrial Internet Security Framework, a common security outline and an approach to assess cybersecurity in Industrial Internet of Things systems.

Just recently, BSA | The Software Alliance published their own viewpoint with The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle. Before diving into the report, it is helpful to understand their definition of software security:

Software security encompasses what a software development organization does to protect a software product and the associated critical data from vulnerabilities, internal and external threats, critical errors, or misconfigurations that can affect performance or expose data.

The organization says that the Framework is intended to establish an approach to software security that is flexible, adaptable, outcome-focused, risk-based, cost-effective, and repeatable. The document provides a common organization and structure to capture multiple approaches to software security by identifying standards, guidelines, and practices that can help software development organizations achieve desired security outcomes while accounting for the wide spectrum of intended uses, risk profiles, and technological solutions among software products.

The guidelines are applicable to the entire spectrum of (1) software development organizations and vendors, from the individual entrepreneur to large-scale, multi-national businesses; (2) software development methods, from traditional to DevOps; and (3) software products, from simple IoT sensors to complex Artificial Intelligence algorithms.

Specifically, the BSA states that the goals of the Framework are to help software development organizations:

1. Describe the current state of software security in individual software products.
2. Describe the target state of software security in individual software products.
3. Identify and prioritize opportunities for improvement in development and lifecycle management processes.
4. Assess progress toward the target state.
5. Communicate among internal and external stakeholders about software security and security risks.

The Framework identifies best practices relating to both organizational processes and product capabilities across the entire software lifecycle. It is organized into six columns: Functions, Categories, Subcategories, Diagnostic Statements, Implementation Notes, and Informative References.

If you are a software developer, you will find the 40-page document to be a good read and a mechanism for assessing your own software security practices.

You might also be interested in our upcoming Webinar on May 15, The Fastest Way to Protect Your Know-How, which will provide an overview of our complete family of IP protection tools that you can integrate easily into your software