By Steve Lipner, SAFECode Executive Director
This week, the Business Software Alliance released The BSA Framework for Software Security. The document aims to provide a consolidated framework that brings together best practices in a manner that can be effectively described and communicated, regardless of the development environment or the purpose of the software. Specifically, according to BSA, the Framework is intended to help software development organizations:
- Describe the current state of software security in individual software products;
- Describe the target state of software security in individual software products;
- Identify and prioritize opportunities for improvement in development and lifecycle management processes;
- Assess progress toward the target state; and
- Communicate among internal and external stakeholders about software security and security risks.
The BSA Framework delivers value by providing a common language for suppliers, customers and policymakers to use when describing or evaluating the security assurance process applied to software, the “supply chain” processes associated with creating, integrating and delivering software, and the security features of the software itself. Further, like SAFECode’s work, the BSA Framework is intended to be applicable across diverse development environments and software types.
SAFECode was pleased to be given the opportunity to contribute to the document’s development, and a review of the practices, or “diagnostic statements,” will reveal close alignment with our work – primarily, our Fundamental Practices for Secure Software Development paper, but also our published guidance around threat modeling, third-party components, and software supply chain. While the BSA Framework is particularly useful for describing what can and often should be done, the referenced SAFECode work provides readers insight into how many of the recommended practices should be implemented based on the real-world experiences of our diverse group of member companies. In this way, you’ll find SAFECode’s and BSA’s software security work to be complementary. Given the constantly evolving software development and security landscape, we look forward to continued collaboration with BSA.
Finally, as you review the BSA Framework, please drop me a line if there are any diagnostic statements that you would be interested in seeing more implementation guidance from SAFECode on. We are always interested to hear which elements of a secure software development process our industry peers are most interested in learning more about.