The BSA Framework for Secure Software is a new tool to describe and assess security outcomes for software products and services, built on established best practices and the experiences of some of the world's leading software developers. The Framework is a living document that will be updated based on feedback from the GitHub community and other stakeholders.
Software security is essential to cybersecurity; attackers continually exploit flaws in software to access and manipulate sensitive networks and information. Currently, no detailed, measurable benchmark exists to assess the security of a software product or service. Several national and international standards describe specific attributes of software security, such as identity management or encryption, and best practice literature describes secure development lifecycle practices and other relevant techniques. However, no existing benchmark provides a holistic treatment of software security, including the processes of developing and maintaining software throughout its lifecycle and to specific security capabilities of a product or service. BSA | The Software Alliance, whose members develop some of the most widely used software in the world, has developed a software security framework for standardizing and assessing software security.
The BSA Framework for Secure Software is a first-of-its-kind tool for understanding and assessing security of software products and services using a risk-based, outcome-focused methodology that applies broadly to diverse types of software, software development processes, and coding languages. The framework is intended to provide developers, customers, and policymakers with a new tool to understand, assess, and ensure minimum security measures in software products and services.
More details about the Framework can be found on BSA’s website at https://www.bsa.org/reports/bsa-framework-for-secure-software. Below are answers to key questions about this project, including information on providing input.
What is the Framework’s objective?
The Framework is a tool to enable stakeholders to discuss and assess the security of software products and services using a risk-based, outcome-focused methodology that applies broadly to diverse types of software, software development processes, and coding languages. It fills a significant gap in cybersecurity policy, given that there are currently no widely recognized, detailed standards, benchmarks, or policies articulating security baselines for broad classes of software products and services.
Who is the target audience?
The Framework provides specific, measurable statements about desired security outcomes that are detailed enough to provide meaningful guidance to software developers, cybersecurity professionals, and other key stakeholders. While it is not intended to provide detailed instructions to software developers on how to confront specific security challenges, it provides an overall framework for structuring secure development lifecycles, identifying and applying security controls, assessing the security capabilities and features of individual products and services, and managing security after software is deployed. Moreover, the framework aligns specific guidance to informative references and standards that provide additional technical details about approaching security challenges.
How is it different from other software security guidance?
Several national and international standards describe specific attributes of software security, such as identity management or encryption, and best practice literature describes secure development lifecycle practices and other relevant security techniques. No existing benchmark, however, provides a holistic treatment of software security considerations, including relating to the processes of developing and maintaining software throughout its lifecycle and to specific security capabilities of a product or service. The BSA Framework fills this gap, while aligning with existing best practice literature and other informative resources wherever they exist. In particular, the Framework is aligned with ISO/IEC 27034 as well as popular guidance documents like the Building Security In Maturity Model (BSIMM) and the Software Assurance Maturity Model (SAMM).
How should the Framework be used?
The Framework is intended to be used to help software development organizations: (1) describe the current state of software security in individual software products; (2) describe the target state of software security in individual software products; (3) identify and prioritize opportunities for improvement in development and lifecycle management processes; (4) assess progress toward the target state; and (5) communicate among internal and external stakeholders about software security and security
Specifically, software developers may find the Framework to be a useful tool to inform development process guidance; to develop internal training and education programs on key responsibilities and methodologies in the software development lifecycle; to track a product as it is developed or to assess its security profile according to concrete metrics; to guide acquisition of third-party software components; to enable constructive discussions between developers and their customers about the security profile of a software project; or to help communicate information about a product’s security features and its approach to mitigating cybersecurity risk to a public audience.
How can you contribute?
BSA has published Version 1.0 of the Framework for Secure Software. The Framework is intended to be a living document, to be updated based on ongoing feedback from key stakeholders, including software developers, their customers, and policymakers. BSA is eager to receive feedback from the GitHub community on the scope, substance, and implementation of the Framework. Please create an issue or a pull request to participate.
© 2019 BSA | The Software Alliance