By Steve Lipner
The CIS Controls is a prioritized set of cybersecurity practices that are targeted toward defending against today’s most pervasive attacks. It is not a catalog of every best cyber defense practice, but rather a list of high-value actions that provide organizations at all maturity levels with a starting point of “must do” activities to optimize their cybersecurity programs. Put simply, the CIS Controls “help defenders identify the most critical things they need to do to stop the most important attacks.”
This year, SAFECode worked closely with CIS to develop Control 16: Application Software Security for Version 8 of the CIS Controls. A recent addition to the CIS Controls, software security’s inclusion reflects its evolution from a once highly specialized discipline largely limited to software engineers to a core focus for organizations that have come to recognize the need to manage the security risk of both in-house developed and acquired software. This evolution means many organizations must now have an understanding of software security practices as both buyers and creators of software.
Of course, those familiar with SAFECode recognize that this is not the first piece of industry guidance written to help organizations improve software security. In fact, there is a long history of industry collaboration in secure software development. Most recently, the National Institute of Standards and Technology (NIST) brought together much of what has been learned over the past two decades and published “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)” which incorporates application software security guidance from SAFECode, BSA|The Software Alliance, OWASP, and others.
So what makes CIS Control 16 and the SAFECode companion paper on application software security unique? Much of today’s most familiar software security guidance was written as a catalog of practices or targeted toward large software development organizations. Viewing software security in the context of the CIS Controls requires us to think a bit differently about our approach. It asks us to consider how we would prioritize software security practices for organizations just starting out or with limited resources. It also asks us to consider how to help those who run broader cybersecurity programs better assess and manage their risk from in-house and acquired software. Control 16 in the CIS Controls was developed from this dual perspective.
Bringing all of these considerations together in a single control was not an easy task and so we opted to further document the thinking behind Control 16’s development and create a reference paper to further support those seeking a deeper understanding of software security. While based in existing SAFECode guidance and aligned with industry best practices, the reference paper is not meant to replace existing software security frameworks. Rather it aims to present effective safeguards in a way that makes application software security accessible and actionable to an even broader audience.
Like the CIS Controls, SAFECode’s Reference Paper prioritizes recommended software security controls by implementation group and maturity level. It can be read as a starting point for organizations looking to implement software security programs, allowing them to direct their limited resources at high value activities. More mature organizations or those with additional resources should consider these recommended practices foundational and will likely have broader programs with additional activities that best address their unique business risks.
We encourage readers to check out Version 8 of the CIS Controls. It reflects the combined knowledge of experts from every part of the ecosystem with every role and across many sectors who have banded together to create, adopt, and support one of the most well-respected collaborative efforts in cyber defense. SAFECode is proud to have played even a tiny part in its development and is grateful for the encouragement and opportunity to look at application software security safeguards from a fresh perspective.