Transcription

SEPTEMBER 2020 VERSION 1.1The BSA Frameworkfor Secure SoftwareA NEW APPROACH TO SECURINGTHE SOFTWARE LIFECYCLEwww.bsa.org

CONTENTSI. Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1II. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Defining “Software Security”. . . . . . . . . . . . . . . . . . . . . . . . . 4Framework Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Framework Purpose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Guiding Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Implementing the Framework for Secure Software. . . . . . . 12Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13III. BSA Framework for Secure Software . . . . . . . . . . . . . . . 14IV. References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleI. Executive SummaryDevelopments over the last several years have resulted in the dramatic expansion of softwarepowered capabilities from traditional computers and industrial control systems into diversepersonal devices, widely deployed sensors, smart appliances, connected vehicles, robotic systems,and beyond. These innovations are driving the creation of a new, connected digital economyand can yield tremendous economic and social benefits. Yet, because these technologies alsohave the potential to create economic, legal, and even physical risk, software developers musthave the joint goals of building software securely and ensuring that it can be securely maintainedthroughout its lifecycle.Software development organizations, their customers,and policymakers are increasingly seeking ways ofassessing and encouraging security across the softwarelifecycle. While standards and guidelines exist to aidand inform developers in achieving these goals, thereis no consolidated framework that brings together bestpractices in a manner that can be effectively measured,regardless of the development environment or thepurpose of the software. BSA The Software Alliance hasdeveloped The BSA Framework for Secure Software (the“Framework”) to fill that gap.Specifically, the Framework is intended to be used to:(1) help software development organizations describethe current state and target state of software securityin individual software security products and services;(2) help software development organizations identifyopportunities for improvement in development andlifecycle management processes, and assess progresstoward target states;1(3) help software developers, vendors, and customerscommunicate internally and externally about softwaresecurity; and(4) help software customers evaluable and compare thesecurity of individual software products and services.The Framework is intended to focus on software products(including Software-as-a-Service) by considering both theprocess by which a software development organizationdevelops and manages software products and thesecurity capabilities of those products. It is intendedto complement guidance for overall organizationalrisk management processes. To the greatest extentpossible, it seeks alignment with recognized internationalstandards and to remain flexible, adaptable, outcomefocused, and risk-based.The Framework is intended to be a living document,updated and improved based on ongoing feedback fromBSA’s members and other relevant stakeholders.1Version 1.0 of the Framework was originally released April 29, 2019.www.bsa.org1

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleII. IntroductionModern society is built on software. Software powers personal technologies, critical infrastructure,scientific research, and industries across every sector. It drives emerging innovations such asthe Internet of Things (IoT), blockchain, and artificial intelligence (AI). As software becomesincreasingly central to our lives, making it secure and reliable becomes ever more critical in theface of an evolving and expansive cybersecurity threat landscape.From within the software community, best practicesare emerging that help software developers addressimportant aspects of software security, includingsecurity-by-design principles, secure developmentlifecycle processes, and internationally recognizedstandards for key security elements such as identitymanagement, encryption, and secure coding. Althoughattention to each specific security consideration canachieve marginal security gains, effective securityrequires a comprehensive and risk-informed approachthat combines individual considerations into a holistic,lifecycle-long framework. And a comprehensive approachmust be tailored to address the nuanced, diverse, andevolving challenges associated with different types ofsoftware and connected devices, from the “bare metal”to the most advanced.Building on best practices pioneered by many of itsmembers, BSA The Software Alliance has developed asoftware security framework to bring consistency to thesecomplex challenges. The BSA Framework for SecureSoftware is intended to establish an approach to softwaresecurity that is flexible, adaptable, outcome-focused, riskbased, cost-effective, and repeatable. Eschewing a onesize-fits-all solution, this voluntary framework will providea common organization and structure to capture multipleapproaches to software security by identifying standards,guidelines, and practices that can help softwaredevelopment organizations achieve desired securityoutcomes while accounting for the wide spectrum ofintended uses, risk profiles, and technological solutionsamong software products and services.Recent technological developments illustrate theincreasing ubiquity of software and the need for aflexible, comprehensive software security framework.Software-powered capabilities continue to expand intoevery corner of personal lives and business activities,including diverse personal devices, widespread sensors,smart appliances, diverse business applications,connected vehicles, and robots. As these capabilitiesevolve, software development is growing increasinglydiverse and complex.The BSA Framework for Secure Software is intended to establish an approach to software securitythat is flexible, adaptable, outcome-focused, risk-based, cost-effective, and repeatable.2BSA The Software Alliance

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleConsider the different ways software is used in several emerging technologies:Internet of ThingsSoftware-as-a-Service (SaaS)Artificial IntelligenceSoftware is at the core of theIoT, and secure software mustbe at the core of IoT security.IoT devices have differentforms, functions, and levels ofcomplexity. At the low end,some “bare metal” sensors lackeven a basic operating systemand contain only software codesufficient to perform one or twosimple functions. More complexdevices may include operatingsystems, AI algorithms, or thehundreds of millions of lines ofcode needed to operate many oftoday’s connected vehicles. Howcan we achieve confidence inthe security of software productsacross this spectrum?Many software applications arenow being operated as servicesfrom a cloud-based architecture inwhich code is segmented acrossmultiple container environments,updated constantly and in realtime, and accessed via Internetconnections rather than installedlocally. Some SaaS applicationsare updated dozens or evenhundreds of times each day, withlittle or no disruption to the userexperience. How can we craft asoftware security framework thataccounts for the new technicalapproaches to software securitythat SaaS development maydemand, while at the sametime driving secure outcomes intraditional software development?AI also brings new considerationsto software development, alongwith new security challenges.AI software often integratesmultiple software components,frameworks, and platforms,potentially introducing new riskwith each additional element.Moreover, AI generally mustingest and process enormousdata sets, introducing riskthrough the exposure of the dataitself. Combined, these risksdemonstrate the importance ofsoftware security for AI products.Yet, at the same time, AI productsare creating promising newapproaches to integrating securityinto software development.How can we address the risks —and harness the benefits — forsecurity in AI software?These diverse and constantly evolving softwaredevelopment techniques and products demonstratethe need for an outcome-focused approach that canconsistently ensure security across a broad array oftechnical considerations. Additionally, static, inflexibleapproaches will either disrupt innovation or fail to keeppace with evolving threats because software is constantlychanging.The intent of the Framework is to provide the entiresoftware industry with a comprehensive, adaptable, andwww.bsa.orgrelevant framework for software security. By adoptinga flexible, outcome-focused approach rooted inindustry best practices and international standards, theFramework is structured to be applicable to the entirespectrum of (1) software development organizations andvendors, whether individual entrepreneurs, large-scale,multi-national businesses, the open source community,or others; (2) software development methods, fromtraditional to DevOps; and (3) software products, fromsimple IoT sensors to complex AI algorithms.3

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleSoftware security encompasses what a software development organization does to protect asoftware product and the associated critical data from vulnerabilities, internal and external threats,critical errors, or misconfigurations that can affect performance or expose data.Defining “Software Security”Software security encompasses what a softwaredevelopment organization does to protect a softwareproduct and the associated critical data fromvulnerabilities, internal and external threats, criticalerrors, or misconfigurations that can affect performanceor expose data. It comprises both organizationalprocesses and product capabilities.Organizational processes include governancestructures, strategies, guidance, and clearly definedprocedures that guide the development of softwarein a manner that identifies and incorporates securityobjectives throughout a product’s lifecycle, protectsthe integrity of the development environment,applies resources to incident and vulnerabilitymanagement, and manages the supply chain thatsupports the software development project.Product security capabilities are technical aspectsof specific software products that are useful inenabling the products to address common securitychallenges, such as protecting data, preventingunauthorized access or use, tracking incidents andvulnerabilities, and managing unforeseen events.Both organizational processes and product securitycapabilities are vital elements of software security.Software security is often discussed in relation tosoftware assurance. Software assurance has beendefined2 as the “level of confidence that software is freefrom vulnerabilities, either intentionally designed into thesoftware or accidentally inserted at any time during itslifecycle, and that the software functions in the intendedmanner.” It has also been defined3 as “the developmentand implementation of methods and processes forensuring that software functions as intended and is freeof design defects and implementation flaws.” Whilesuch definitions may suggest that the level of securityassociated with a given software product could beascertained simply by measuring the presence and extentof defects or vulnerabilities in its code base, softwaresecurity is rarely that straightforward.One challenge is that — at least currently — it isimpractical to expect all software code to be entirely freeof vulnerabilities. Indeed, according to some estimates,software products currently average roughly 1–5 defectsper 1,000 lines of code, with many complex softwareproducts incorporating tens or hundreds of millions oflines of code in total.4 While defect-free code shouldalways be a developer’s goal, it is not a realistic industrystandard. Instead, the goal should be the widespreadadoption of practices and processes that minimize codedefects, and particularly known software vulnerabilities,and to maintain a proactive security posture orientedto identifying and addressing problems before theycan be exploited. In fact, researchers have documentedsubstantial improvements in average software defectdensity among leading software developers throughthe implementation of secure development lifecycleapproaches and other software security best practices.2https://www.hsdl.org/?view&did 03/SAFECode Fundamental Practices for Secure Software Development March 2018.pdf4https://resources.sei.cmu.edu/asset files/Webinar/2014 018 100 295971.pdf4BSA The Software Alliance

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleA second challenge is that any approach to softwaresecurity that is distilled into a test or series of tests at asingle point in time is inherently flawed. As developersincreasingly adopt iterative approaches to development,incorporate third-party components, and face evolvingsecurity threats, a software product may changecontinually and substantially over its lifecycle. Testingmethodologies undergo evolution as well; for example,the set of known software vulnerabilities assessedby certain testing methodologies may be frequentlyupdated to include newly discovered flaws. Securityis a persistent requirement; while software testing is acritical element of secure development, it is not a standin for a sustained, security-focused approach to lifecyclemanagement.Other models exist for informing or assessingsoftware security. Some of these models, includingSAFECode’s Fundamental Practices for Secure SoftwareDevelopment, the Software Assurance Maturity Model,and various secure software development lifecyclemethodologies, serve as important starting pointsfor the Framework described in this document. Theyprovide detailed guidance, informed by broad industrybest practices, on a wide range of considerationsorganizations should address to maximize their abilityto produce secure software in a verifiable, repeatable,transparent manner. However, in many cases, theseguidance documents lack specificity and are primarilytargeted toward organizations, focusing almostexclusively on organizational approaches, processes,SDL GOVERNANCEThe foundation for secure software development is the creation of a culture of security, and an organization’sgovernance practices are a key contributor to creating such a culture. Because software developmentorganizations are diverse with regard to size, organization, and methods, different governance practices willbe more or less effective for different organizations. For example, for larger organizations, measures likeidentifying a security champion or separating security teams from coding teams may make sense, whereassmaller organizations may be more efficient by collocating security and development roles. Focusing onsecurity outcomes associated with specific software products and services, the Framework does not attemptto establish measurable diagnostic statements to holistically evaluate an organization’s security governance.Nonetheless, implicit in the Framework is a robust commitment to coherent, committed, effective governancepractices and processes to guide software development.Governance includes:»Building commitment across an organization’s leadership to software security and secure development.»Establishing clear expectations and standards for integrating security into the software developmentlifecycle and establishing processes for achieving them.»Establishing clear policies, as well as processes for elevating and accepting exceptions to those policiesbased on risk analysis.»Ensuring every individual involved in software development and software security is aware of his or her roleand is prepared to perform it.»Identifying metrics to enable consistent evaluation and adjustment of secure development lifecycleprocesses to improve outcomes and integrate lessons learned.www.bsa.org5

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleThrough an examination of risk, software development organizations will apply the DiagnosticStatements appropriate for their environment and product, and identify cases in which DiagnosticStatements are inapplicable or irrelevant.and methodologies that collectively constitute the inputof software development. They offer limited guidanceon security considerations in relation to the output ofsoftware development; that is, the software product.The Framework takes the approach of defining softwaresecurity by considering both input and output; that is,it includes considerations of organizational processesthat guide how vendors approach the development andmaintenance of a software product as well as securitycapabilities and considerations relevant to the productitself. Moreover, it provides this guidance at a level ofdetail that is specific enough to be measurable, withoutcompromising the flexibility necessary to ensure that allorganizations can tailor the guidance according to thetype, use, and associated risk of a software product.The Framework is intended to apply to all types ofsoftware. Yet, because of the tremendous diversity intypes of software, software development processes, andrisks, some security considerations will be more relevantto certain types of software than others. Moreover,organizations will vary in how they customize approachesto achieving the outcomes described in the Framework.The Framework is intended as a tool to create a commonlanguage for discussions about how software approachessecurity, enabling stakeholders to hone in on the securityoutcomes most relevant to the circumstances. Ratherthan serving as a box-checking exercise, a commonlanguage enables organizations to describe how theyapproach a specific security outcome or why thatoutcome may not be applicable to their product.Framework BasicsThe Framework identifies best practices relating toboth organizational processes and product capabilitiesacross the entire software lifecycle. It is organized intosix columns: Functions, Categories, Subcategories,Diagnostic Statements, Implementation Notes, andInformative References.Functions organize fundamental software securityactivities at their highest level, consistent with thesoftware lifecycle. The Functions are:SECURE DEVELOPMENTSecure development addresses security in the phaseof software development when a software projectis conceived, initiated, developed, and brought tomarketSECURE CAPABILITIESSecure capabilities identify key security characteristicsrecommended for a software productSECURE LIFECYCLESecure lifecycle addresses considerations formaintaining security in a software product from itsdevelopment through the end of its lifeCategories divide a Function into distinct considerationsand disciplines relevant to the Function. Many Categoriesare fundamentally interwoven with other Categories;for example, the “Vulnerability Management” and6BSA The Software Alliance

The BSA Framework for Secure Software: A New Approach to Securing the Software Lifecycle“Vulnerability Notification and Patching” Categories areconceptually closely related, as successful vulnerabilitymanagement necessarily involves vulnerabilitynotification and patching. However, the Categoriesseek to distill best practices into distinct subjects ordisciplines; in this example, “Vulnerability Management”provides guidance for organizational processes toidentify, prioritize, and mitigate vulnerabilities, whereas“Vulnerability Notification and Patching” identifies bestpractices for developing and issuing patches, mitigations,and notifications to customers. Categories within thesame Function may involve different communities ofpractices within the software development organization;for example, “Secure Coding” practices will may be mostrelevant to a different part of a software developmentteam than those members responsible for “Supply ChainRisk Management” practices.Subcategories further divide a Category into distinct,unitary concepts that express identified software securitybest practices.Diagnostic Statements identify specific, verifiableoutcomes. They provide a set of results that helpsupport achievement of the outcomes in each Category.Diagnostic Statements are not intended as an exhaustivelist of best practices, but as a set of desired outcomesthat are relevant to enhancing security across as manyclasses and types of software as possible. The Frameworkdoes not intend that every Diagnostic Statement willapply to every development environment or softwareproduct. Instead, through an examination of risk,software development organizations will apply theDiagnostic Statements appropriate for their environmentand product, and identify cases in which DiagnosticStatements are inapplicable or irrelevant. This approachis consistent with other risk-based frameworks that seekto encourage and guide secure activities while avoidingbecoming simple checklists.Implementation Notes provide additional information,where necessary, such as examples of how organizationsmay achieve security outcomes described in theDiagnostic Statements, interpretations of how DiagnosticStatements may apply in different developmentenvironments, and guidance on aligning implementationwith risk.www.bsa.orgInformative References are resources that identify anddescribe best practices, guidelines, or further informationfor the implementation of an associated DiagnosticStatement. They may describe methods for achievingthe described outcome, provide technical specificationsor related best practices, and offer further clarity andspecificity on the security benefits of the describedoutcome. Informative References include internationallyrecognized technical standards, best practice manualsand guidelines, and references to Common WeaknessEnumerators (CWEs). A current list of CWEs is maintainedat https://cwe.mitre.org/. In some cases, multiplestandards may offer alternative approaches to achievesimilar outcomes. Similarly, CWE references are drawnfrom a community-developed taxonomy of softwareweaknesses that serves as a common language fordescribing weaknesses and provides a baseline foridentification, mitigation, and prevention of suchweaknesses. Numerous CWE references may be relatedin some form to a specific Diagnostic Statement; theFramework attempts to identify the most relevantweaknesses resulting when the Diagnostic Statementis incompletely or improperly addressed. In all cases,Informative References are illustrative and are notintended to be either exhaustive or prescriptive.The Framework’s Subcategories and DiagnosticStatements are often focused on the individuals andteam that actually develop software. In practice, entitiesdeveloping software are complex organizations thatoften include separate software development teamsthat interact with security teams, corporate governancestructures, and external requirements, each of which playkey roles in driving the security outcomes the Frameworkdescribes. By “software development organizations,” theFramework intends to address all parts of an organizationinvolved in the design, development, deployment,and maintenance of software, recognizing that eachorganization must determine how it can assign rolesand responsibilities to most effectively achieve desiredsecurity outcomes.There are numerous approaches to software development,with Agile and Waterfall being two of the most common.The Framework does not recommend any specificapproach and encourages software developmentorganizations to consider the Categories, Subcategories,and Diagnostic Statements in the context of whatevermethod they are using.7

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleFramework PurposeThe Framework is intended to be used to:1234Help softwaredevelopmentorganizationsdescribe the currentstate and target stateof software securityin individual softwaresecurity productsand services.Help softwaredevelopmentorganizations identifyopportunities forimprovement indevelopment andlifecycle managementprocesses, and assessprogress towardtarget states.Help softwaredevelopers, vendors,and customerscommunicateinternally andexternally aboutsoftware security.Help softwarecustomers evaluableand compare thesecurity of individualsoftware productsand services.The Framework is intended to focus on softwareproducts (including Software-as-a-Service), byconsidering both the process by which a softwaredevelopment organization develops and managessoftware products and the security capabilities ofproducts. It is intended to complement, rather thanreplace, guidance for organizational risk managementprocesses. To the greatest extent possible, it seeksalignment with recognized international standards.The Framework is intended to become a livingdocument, to be updated and improved based onongoing feedback from BSA’s members and otherrelevant stakeholders.Guiding PrinciplesThe Framework is based on five key xibleRisk-Based.Software is enormously diverse, ranging fromapplications that perform only a few basic functionsto highly sophisticated AI programs, and it is used inan enormously diverse array of contexts, from homecomputing networks to the very backbone of theInternet. The different types and uses of software carrydifferent risks; for example, the software behind a mobilephone game may pose far less threat to cyber or physicalsecurity than the software operating an electricity grid’scontrol system.To manage the risks associated with software,organizations should build software developmentprocesses around careful analysis of the risks associatedwith their products, the potential resulting impacts, andtheir organization’s risk tolerance. With an understandingof risk tolerance, organizations can prioritize securityactivities in their software development and lifecyclemanagement processes, enabling informed decisionsabout where to prioritize improvements and how to alignfinancial and human resources.AdaptableAligned with Internationally Recognized StandardsBSA The Software Alliance

The BSA Framework for Secure Software: A New Approach to Securing the Software LifecycleMany elements of the Framework are intentionally structured to provide software developmentorganizations with the flexibility to tailor their approaches based on the risk profile of the product.Risk informs the Framework throughout its threeFunctions and is intended to guide softwaredevelopment organizations and vendors to addresssecurity considerations in operational processes andproduct security capabilities according to the level ofrisk associated with the product.For example, consider the first Subcategory articulatedin the Framework which reads: “Threat modeling and riskanalysis are employed during software design to identifythreats and potential mitigations.” This risk analysis isdesigned to guide software development organizationstoward adopting the security controls most appropriateto the type and uses of their products. Understandingof the risk subsequently informs the development of aplan to address security considerations in the software’sdevelopment and deployment.Outcome-Focused.The Framework communicates best practices in theirmost detailed form through Diagnostic Statementsthat identify specific, measurable outcomes. Thesestatements are intended to be neutral with respect tocoding language, development process, and technicalapproach. Rather than dictating specific securitytechniques, the Framework focuses on the outcomessoftware development organizations and vendors ideallyshould achieve to enhance the security profile of thesoftware.Flexible.Software development as a discipline is constantlyevolving based on innovations in efficiency andmanagement, emerging customer demands, newapproaches to coding languages or softwaredevelopment tools, and technical breakthroughs.Moreover, cybersecurity requires constant innovationto keep pace with changing threats. Any approach towww.bsa.orgsoftware security must be flexible enough to enablesoftware developers to develop new approaches to newchallenges, and to deliver innovative products to thecustomers who depend on them.The Framework approaches this vital principle byensuring that it specifies outcomes that are neutral withregard to coding language, development process, andtechnical approach. Similarly, the Framework recognizesthat some Diagnostic Statements may be more importantto some organizations than others. For example,companies securing SaaS products will find statementsrelating to securing containers, such as TC.1-6, moreapplicable to their software development environmentthan businesses providing mostly out-of-the-boxsoftware. Likewise, organizations developing out-of-thebox software may find Diagnostic Statements relatingto anti-ta

The BSA Framework for Secure Software A New Approach to Securing the Software Lifecycle Defining "Software Security" Software security encompasses what a software development organization does to protect a software product and the associated critical data from vulnerabilities, internal and external threats, critical