Discussing modern software development in Brussels
Trends in the way modern software is being developed and new ways of looking at security.
By Chris Wysopal
Last week, I had the opportunity to meet with a range of policy officials in Brussels to discuss best practices in secure software development and to share some observations from our annual “State of Software Security (SOSS)” report.
The policy background is the EU Cybersecurity package as proposed in September, and specifically proposals around Security by Design and an EU ICT security certification framework.
We discussed two distinct trends in the way modern software is being developed and how these trends require new ways of looking at security.
There is a significant shift away from legacy ‘waterfall’ development methods. Under waterfall methods, security testing was incorporated as a discreet part of an incremental, methodical, long-term development process. Today, there is a move towards agile development methods, where there is a focus on iterative, continuous development practices, requiring organizations to “shift security left”.
This means that organizations must consider security throughout the development process, rather than bolting it on at the end. We call this process DevSecOps, whereby you combine development, security, and operations practices in an agile fashion.
The second trend is that developers are increasingly using open source components in software application development. Open source components can provide strong functionality, but they often contain vulnerabilities, which can open them up to attacks by malicious actors.
As the Veracode 2017 SOSS report notes, 88 percent of Java applications tested by Veracode had at least one vulnerability in a component. It is critical for vendors to understand and document which open source components and libraries they utilize in application development, and to have the ability to fix these vulnerabilities as they are discovered, ideally throughout the development process.
The proposed EU Cybersecurity Act calls on ENISA to develop an ICT certification framework, with the purposes of enhancing the resilience of digital products and services, and increasing market trust in the European digital economy.
As outlined before, CA Technologies welcomes this continued focus on cybersecurity, and we believe that certifications can play an important role in strengthening the cybersecurity landscape. However, with respect to software, in order for a certification process to be successful, it must take into account modern development practices.
First, the certification scheme should focus on development processes, rather than on end products. With agile development methods, software products are continuously updated. Focusing on secure development practices will enable continued innovation while also proving more secure software. The risk profile of the application being developed can dictate the level of security rigor that the development process includes.
Second, it is important that the certification framework be harmonized across the EU and aligned with international standards. This would benefit both vendors and customers. Vendors can focus their efforts and resources on aligning with a single certification process rather than dedicating significant resources towards multiple compliance regimes. Customers will have confidence that their vendors are certifying against the same standard and will benefit from increased competition.
Third, we feel that European cybersecurity will benefit most from an initial focus on establishing a base-level certification regime, promoting a Security by Design approach. Raising the bar at the foundational level will strengthen cybersecurity across the board.
In a future blog, we will delve a little deeper into the last proposal around security by design practices and how these can be incorporated into a potential certification scheme.