Securing Software in the Digital Age: BSA Software Security Framework
Image source: Adobe Stock / SIAMRAT.CH.
by David Lenoe
posted on 04-30-2019
On April 30, BSA|The Software Alliance, a trade association that represents major software companies, introduced the BSA Software Security Framework, a consolidated framework that brings together the best practices of software security in an effectively measured and common sense way.
In today’s world, security is top of mind for every organization – in fact, a recent study showed cybersecurity is the number one business concern for CEOs in the United States. This concern is largely driven by the changing technological landscape. Innovations over the past few years have paved the way for an explosion of software-powered capabilities, from traditional computers to mobile and IoT devices including everything from connected cars to smart sensors.
These developments have helped create a connected digital economy but have also increased the attack surface for cyber criminals looking to take advantage of the vulnerabilities in the software-based systems that define our modern world.
As software becomes increasingly central to our lives, making it secure and reliable becomes even more critical in the face of an evolving and expansive cybersecurity threat landscape. While there are many helpful guidelines, standards and best practices around building secure software, the rapid developments of recent years demand a more holistic, “outcome-based” framework that brings together best practices in an environmentally agnostic fashion.
As we navigate this landscape, education becomes increasingly crucial for both technical audiences and the policymakers who may codify these processes into law. The BSA Framework will serve as an explanatory tool for both policymakers who need to understand this complex and shifting environment before creating legislation to govern it, and enterprises on their cybersecurity journeys, that will benefit from the key learnings and best practices from the major software companies, like Adobe, that have contributed to the Framework.
Adobe has been creating software for over three decades and joined SAFECode (the Software Assurance Forum for Excellence in Code) in 2009 to help promote best practices in secure software development. Working to advance security across the tech industry is a core focus for the Adobe Security team. In fact, in my role at Adobe I also serve as a board member of SAFECode, a non-profit organization exclusively dedicated to increasing trust in information and communications technology products and services through the advancement of effective software assurance methods.
For the creation of this Framework, Adobe contributed by providing expertise on technical and engineering topics and sharing Adobe’s Secure Engineering Overview as one of the core documents that informed the Framework.
Both SAFECode and BSA serve as conveners – bringing together technical and policy experts to craft comprehensive, thoughtful guidelines for companies to implement today, and to inform tech legislation in the future. The BSA Framework specifically is intended as a tool to create a common language for discussions about how to approach software security, enabling stakeholders and organizations to describe how they approach a specific security outcome, and which outcomes are most relevant to their product or environment.
For example, regarding software patching – the Framework includes the following diagnostic statement:
- 1-1. Software is capable of validating the integrity of a transmitted patch or update.
This is a simple, but very important goal, and can be challenging to achieve. The outcomes specified in this diagnostic statement link to additional material providing further instruction on achieving the outcome, including references that give implementation guidance for various software products and environments. By focusing on secure outcomes, the Framework avoids mandating specific technical approaches that may not apply to certain products or environments, and instead establishes clear security outcomes that are targeted and meaningful but flexible. This approach allows all companies to thoughtfully consider and approach software security, regardless of their technical environment or the products they’re building.
The framework’s potential
The Framework does a masterful job of incorporating expertise and insight from both technical and policy experts. Not only did the BSA team work closely with technical experts from its member companies and leading industry groups like SAFECode, they also actively connected with policy experts in D.C. to help ensure they were bringing both perspectives together as they drafted the Framework.
Another crucial element of the Framework that some might take for granted is its close alignment with internationally recognized standards. While it’s easy to disregard standards and compliance regulations as a “check the box” exercise, at Adobe, we see meeting these standards as a way to communicate our security posture to customers in a reliable, mutually understood way – which is a huge priority for them, and provides peace of mind around this highly stressful topic. Aligning with standards on an international level is incredibly useful for all companies – especially when it comes to SaaS products and environments.
This Framework will help governments with their regulatory efforts in security for years to come as software has an ever-greater impact on the lives of their citizens. It’s an incredible example of the good that comes when industry and government work together to develop solutions that can be impactful and long lasting.
Looking to the future
With increasing heterogeneity in software environments as enterprises pursue digital transformation, transitioning to the public cloud, developing applications for IoT devices and more, security continues to be a challenge. This is something that we at Adobe know first-hand from our work transitioning to the cloud and delivering SaaS-delivered products.
The tech industry and government are working hard to address and help combat these security challenges in a myriad of ways. For instance, Adobe is working to provide “security by default” across all our environments, so that both developers and customers are even more secure from the get-go thanks to thoughtful configurations implemented before they even enter the environment.
However, to help ensure protection against the ever-growing threat landscape, we’ll need cooperation and collaboration between policymakers and leaders within the tech industry. BSA’s Software Security Framework represents a great start in helping ensure a secure future that brings together both sides of this equation. I encourage those who care about software security, both in government and the private sector, to join our efforts in supporting this framework.
Topics: Community, Data & Privacy, Public Policy