By Steve Lipner, SAFECode Executive Director
Those of you who’ve been following SAFECode for a while may remember our past comments on the European Union (EU) initiative to establish a new approach to cybersecurity certification. We commented on that approach early in 2018 and later in 2018 we issued a short white paper sharing our views on the factors that would make for a successful approach to certification.
The EU passed its new Cybersecurity Act last year, which charged the European Union Agency for Cybersecurity (ENISA) with a lead role in driving the creation of cybersecurity certification schemes. Recently, we became aware of a new ENISA report entitled “Advancing Software Security in the EU” (The paper is dated November 2019 but seems to have been released in the last couple of weeks.) We thought it would be helpful for us to share our initial reactions to the paper.
The ENISA paper emphasizes the importance of software to the security of information technology products and services. It also stresses the role of secure development process in the creation of secure software and enumerates a set of elements of secure software engineering that aligns well with SAFECode’s principles. We were happy to see that the paper specifically refers to the importance of a Secure Development Lifecycle and cites SAFECode’s Fundamental Practices document as well as our white paper on security certification in its list of standards and good practices.
The ENISA paper points out that, while secure development process is important, the security of the end product or service is the end goal of a certification scheme. SAFECode agrees – that’s why our members’ implementations of secure development processes include systems that create and track evidence that the process has actually been applied. This evidence, in the form of threat models created, secure build options applied, static analysis bugs triaged and fixed, and fuzzing errors remediated, is a key component of SAFECode members’ implementations of Secure Development Lifecycle processes.
We are looking forward to continuing our dialog with ENISA and to the emergence of effective and efficient EU cybersecurity certification schemes.