Improved framework offers timely guidance on securing global supply chain

WASHINGTON – September 22, 2020 – Software innovations are transforming the way we live and work. But insecure software carries the potential for unprecedented economic, legal, and physical risk. In fact, recent news from the FBI shows an increase in the number of complaints about cyberattacks, up to as many as 4,000 a day, or a 400% increase from pre-coronavirus levels. As the role of technology in every sector expands and emerging technologies like 5G become more widespread, software developers and governments face the challenge of how to secure software components in vast, complex supply chains. Stakeholders need clear and flexible guidance to secure the rapidly growing digital ecosystem.

BSA | The Software Alliance today released a new version of a key tool for improving the software supply chain, the BSA Framework for Secure Software. This updated framework includes crucial changes to strengthen criteria for securing software supply chains and better align with relevant guidance. Specifically, the new framework is fully mapped to the National Institute for Standards and Technology (NIST)’s Secure Software Development Framework (SSDF), providing software developers an accessible tool to implement the SSDF. Moreover, it incorporates more robust guidance on securing development environments to prevent supply chain attacks.

“As cyber threats grow, the software industry and policymakers must come together to protect the global software supply chain from malicious cyberattacks. This issue has never been more relevant – the Internet of Things is expected to grow to more than 200 billion devices by 2023, and these newly connected devices will pose a major security risk,” said Victoria Espinel, President and CEO of BSA | The Software Alliance. “BSA member companies are on the cutting edge of pioneering security-by-design principles that lead to stronger, more secure software products. The updated BSA Framework for Secure Software will help drive the adoption of those best practices across the entire industry. I look forward to BSA’s continued collaboration with software companies and policymakers as we work to build the trusted technologies of the future.”

Specifically, the Framework is intended to be used to help:

1. Software development organizations describe the current state and target state of software security in individual software security products and services;
2. Software development organizations identify opportunities for improvement in development and lifecycle management processes, and assess progress toward target states;
3. Software developers, vendors, and customers communicate internally and externally about software security; and
4. Software customers evaluate and compare the security of individual software products and services.

The Framework is intended to guide development lifecycles for all types of software, from installed programs to Software-as-a-Service, as well as all types of development processes, from waterfall to DevOps. The Framework is a living document and will continue to be updated and improved based on ongoing feedback and technical developments.

Find BSA’s updated Secure Software Development Framework here.