A flexible and holistic approach to guide and assess software security

WASHINGTON – April 30, 2019 – As malicious actors increasingly target vulnerabilities in software to attack critical networks and systems, software security has emerged as an urgent priority. Software developers, their customers, and policymakers need tools to describe, assess, and encourage security across the entire software lifecycle, from its development to the end of its life. While some standards and guidelines exist, there is no holistic framework that articulates best practices in a way that can be specifically described and effectively measured across diverse development environments, software types, and coding languages — until now.

BSA | The Software Alliance today announces the release of the BSA Framework for Secure Software to fill one of the most significant gaps in cybersecurity policy. The Framework tackles complex security challenges through an adaptable and outcome-focused approach that is risk-based, cost-effective, and repeatable. The Framework describes baseline security outcomes across the software development process, the software lifecycle management process, and the security capabilities of the software itself.

“BSA’s Framework is the first to offer a holistic approach to software security for software companies, their customers, and policymakers,” said Victoria Espinel, President and CEO of BSA | The Software Alliance. “To effectively secure the digital ecosystem, we need a way to evaluate software security that is meaningful enough to protect software against malicious exploitation and flexible enough to consider all of software’s nuanced types and characteristics. Otherwise we risk disrupting innovation or failing to keep pace with rising cybersecurity threats.”

“From botnets commandeering IoT devices to sophisticated nation-state cyberattacks, software vulnerabilities are often the key entry point for hackers. Software security has long been a critical gap in securing the Internet ecosystem, and the BSA software security framework represents an important contribution. It gives developers and policymakers alike a tool to guide software assurance activities and strengthen cybersecurity throughout our increasingly software-centric economy,” said Senator Mark Warner (D-VA), Co-Chair and Founder of the Senate Cybersecurity Caucus.

““Secure software is essential to further developing AI, conquering 5G and building Internet of Things devices that will improve and enhance nearly every aspect of our society, economy and our day-to-day lives. The BSA Framework for Secure Software is an important step that will help ensure we are building our bright future with security in mind, not as an afterthought,” said Congressman Will Hurd (R-TX-23).

“BSA is to be commended for creating a Software Security Framework that integrates technical, policy, management, and risk considerations in a form that will be useful to development organizations across a wide range of sizes and technologies. SAFECode and its members are happy to have worked with BSA during the development of the Framework and we’re very pleased with the end result. We strongly encourage organizations to consider adoption of the Framework,” said Steve Lipner, Executive Director of SAFECode.

“During my time as Illinois Attorney General, I regularly saw what happens when hackers exploit software vulnerabilities. For consumers, it means breaches that enable the theft of their financial data, health data, and sensitive, personal data. In the aftermath, consumers too often face the long-lasting damage of identity theft. Government and industry must do more to limit software vulnerabilities by proactively working to address cybersecurity challenges. The BSA Software Security Framework represents a needed step forward and is the type of response we should be seeing from the software industry,” said Lisa Madigan, Attorney General of Illinois, 2003-2019.

“BSA deserves a lot of credit for its hard work on software security best practices. The Framework is a major contribution and should spur a serious dialogue on best practices with government and other parts of the industry,” said Stewart Baker, Partner, Steptoe & Johnson LLP.

The Framework is intended to help software development organizations:

1. Describe the current state of software security in individual software products;
2. Describe the target state of the software security in individual software products;
3. Identify and prioritize opportunities for improvement in development and lifecycle management processes;
4. Assess progress toward the target state; and
5. Communicate among internal and external stakeholders about software security and security risks.

The Framework is intended to be relevant to all types of software, from installed programs to Software-as-a-Service, as well as all types of development processes, from waterfall to DevOps. As innovations continue to drive rapid evolution of software practices, the Framework is intended to remain a living document, to be updated and improved based on ongoing feedback and technical developments.

Explore the full BSA Framework for Secure Software here.