When BSA released its Framework for Secure Software last year, we promised the Framework would be a living document, updated to incorporate the most current guidance on combatting threats to the software ecosystem. Today, we are making good on that promise with an update to the Framework that brings new focus to mitigating rapidly growing risk in the software supply chain.
The software supply chain is as complex as a traditional manufacturer’s supply chain, with numerous risks. The potential for dozens or hundreds of third-party components and subcomponents sourced to different vendors and open source projects across the globe poses one significant risk. Another is the sensitive development environment in which components are assembled and tested. The software supply chain is also vulnerable to risks of tampering, counterfeiting, and other nefarious activity. In the last few years, malicious actors have increasingly targeted the software supply chain: attempting to compromise development environments, insert malware into components, and exploit weaknesses in lifecycle maintenance processes such as patching.
These growing risks demand that software developers magnify their attention to defending the supply chain. BSA’s original Framework established a clear set of best practices to manage third party components, prevent counterfeiting and tampering, promote secure configurations and updates, and secure development tools. As attackers change their methods, Version 1.1 of the Framework is upping the ante, establishing new guidelines for securing development environments from unauthorized access.
Another key development in this update is that Version 1.1 fully maps the Framework against the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF), published earlier this year. The SSDF represents one of the world’s first government-issued guidelines for software security and is already mapped to BSA’s Framework. Version 1.1’s alignment with the SSDF will give software industry stakeholders – developers, vendors, customers, policymakers – who want to communicate or evaluate how a software product or service aligns with the SSDF an easy tool to do so. It offers more specific, comprehensive guidance for implementing the practices and tasks outlined in the SSDF, with additional informative references to help practitioners gain insight into specific technical considerations.
Together, these updates keep the BSA Framework for Secure Software at the cutting edge of software security. For both software developers and their customers, ensuring that the software used in products and services have been developed using these best practices becomes more important every day.
The updated BSA Framework is the most comprehensive tool available that provides detailed, measurable guidance to software stakeholders to address security throughout the software development lifecycle, as well as security characteristics built into software products and services themselves. We’re eager to engage with stakeholders in a variety of roles to explore how the Framework can best be put into practice.
As BSA has emphasized elsewhere, secure software is essential to facing many of the most prominent challenges to the cyber environment, including defending supply chains, securing 5G networks, and addressing threats to the Internet of Things. BSA’s updated Framework for Secure Software offers a tool to help developers, users, and other stakeholders establish trust in the software that is the fundamental building block for these vital technologies.
Learn more about BSA’s cybersecurity initiatives at bsa.org/cybersecurity.
