The ability to assess and communicate the security of software is increasingly important to both suppliers and customers. Two years ago, BSA | The Software Alliance launched a first-of-its-kind tool to describe, evaluate, and encourage security throughout the software lifecycle. At the time, governments around the world were considering initiatives to enhance cybersecurity, from certifications for IT products and services in the EU to efforts to combat botnets in the US. Although policymakers were having important conversations about security, missing from efforts focused on software security was a holistic framework that could help government, industry, and academic stakeholders communicate and evaluate desired security outcomes throughout the software lifecycle, from development to end-of-life.
Our members are leaders in software security and have pioneered many of today’s leading security practices, so it made sense for BSA to focus our efforts on closing this gap. We launched the BSA Framework for Secure Software in April 2019 and released an update last year. The Framework builds on industry best practices, internationally recognized security standards, and government guidance to provide a common organization and structure to software security’s complex challenges and different technical approaches.
The Framework considers both the process by which a software product is developed and managed, and the security capabilities of the software product itself. The Framework covers three core functions:
- Secure Development, covering security practices in the pre-market phase of a product.
- Secure Capabilities, focusing on the security characteristics of a particular product.
- Secure Lifecycle, outlining security considerations throughout a product’s entire life.
The Framework can be tailored to the entire spectrum of software vendors, software development methods, and software products because it adopts a risk-based, outcome-focused, adaptable, flexible approach that combines individual aspects of software security into a comprehensive, lifecycle-long scheme. In our version 1.1, released last year, we map the Framework to the recently-released NIST Secure Software Development Framework, which similarly maps to the BSA Framework.
In the two years since launching the Framework, software security has become more important than ever. Software is at the core of today’s digital ecosystem, powering everything from our nation’s critical infrastructure to personal IoT devices. Improving software security is an urgent and essential task. The Framework is one tool to encourage sound security policies that will improve the resiliency of software as well as the networks, devices, services, and ultimately users that depend on it.
