Today, BSA | The Software Alliance launched the BSA Framework for Secure Software. This first-of-its-kind tool will enable the software industry, its customers, and policymakers to describe, assess, and encourage security throughout the software lifecycle in a specific, meaningful way.
Software-based cyber threats are on the rise – the Ponemon Institute reported that 77% of cyberattacks in 2017 exploited vulnerabilities in software already installed on the target system. Moreover, the financial damages inflicted by recent cyberattacks, such as NotPetya and WannaCry, which cost the global economy billions of dollars and imperiled critical infrastructure, highlight the importance of securing software products and services.
Stakeholders all over the world are having important conversations about security, with a focus on how to design and develop secure software. However, there is currently no holistic framework that addresses both secure software development processes as well as the security outcomes that matter most. The BSA Framework for Secure Software fills this gap in today’s security guidance.
The Framework is built on a foundation of widely recognized industry best practices, including many pioneered by BSA members, and aligns with internationally recognized security standards wherever they exist. Its structure is modeled on the National Institute of Standards and Technology’s widely acclaimed Cybersecurity Framework, creating a methodology to assess organizational processes and product security capabilities that is risk-based, outcome-focused, flexible, and adaptable.
The Framework is centered on five key principles:
- Risk-based. The Framework encourages security assessments based on risk because different types and uses of software carry different risks. An understanding of risk provides organizations with information to efficiently prioritize security activities.
- Outcome-focused. The Framework articulates best practices through specific, measurable outcomes without prescribing particular technologies or security techniques, meaning the Framework can be applied to the wide variety of coding languages, development processes, and technical approaches.
- Flexible. The Framework allows software developers to create new solutions to new security challenges through its technology-neutral approach and recognition that organizations will apply the guidance according to the risk profile of each different product or service.
- Adaptable. The Framework is designed to keep pace with constantly evolving software development environments. The Framework evaluates software security in an outcome-focused manner without mandating specific technical methods, ensuring its guidance is relevant to the spectrum of software development processes and products.
- Aligned with Internationally Recognized Standards. The Framework seeks to align, to the greatest extent possible, with internationally recognized standards to encourage international interoperability and express consensus best practices.
The Framework provides the software industry and international policymakers with a dynamic and effective tool for measuring and encouraging security throughout the software lifecycle. BSA looks forward to working with companies, governments, and other stakeholders to ensure the Framework helps protect software products and services against today’s, and tomorrow’s, threats.
Learn more about BSA’s cybersecurity initiatives at bsa.org/cybersecurity.