Published by Security Testing and Assurance on 22 June 2023
One of the key outcomes of the recent Quad Leaders’ Summit, held in Hiroshima, Japan, was the establishment of a set of secure software development principles. With these principles, the four Quad nations — Australia, India, Japan, and the United States — have “re-affirmed their commitment to improve software security” (Quad Senior Cyber Group, 2023), and to build policy frameworks to guide the development, procurement, and use of software.
In agreeing to these joint principles, Quad governments stated their collective intent to use their formidable purchasing power to “drive the development of safer and more secure software.”
Although the principles are targeted towards government vendors and governments themselves, they can be applied to any organisation developing or procuring software.
- For those developing software, the principles highlight the need to take a closer look at their own software development lifecycle and ensure security has been embedded throughout.
- Ask the question: how can we demonstrate that we are developing secure software?
- For those procuring software, it highlights the need to ask your vendors about their development processes and make sure they are following secure development processes.
- Ask the question: how can you demonstrate that you are developing secure software?
What guidelines already exist?
Guidelines for developing secure software are not a new concept. Most well-established cyber security frameworks, such as ISO 27001 and the NIST Cybersecurity Framework, contain sections focused on software development. As software security has come under greater scrutiny, more specific and detailed industry standards have emerged.
- The NIST Secure Software Development Framework (SSDF)1 was developed on the back of the US President Joe Biden’s Executive Order 14028 on ‘Improving the Nation’s Cybersecurity’ and contains detailed guidance for organisations to build and maintain secure software.
- The OWASP (Open Web Application Security Project) Software Assurance Maturity Model (SAMM) is a community driven project and provides tools to allow organisations to self-assess and define a roadmap of activities to improve secure software maturity.
The Australian Information Security Manual (ISM) contains also ‘Guidelines for Software Development’ and these are most likely going to be the starting point for any additional policy or regulatory guidance. Given the focus, there is a possibility of seeing these controls included in an expanded version of the Essential 8 in the future.
What can organisations do now?
- Assess your software development processes – The first step to maturity improvement is understanding the current processes and challenges faced by development teams. Using a targeted framework such as the NIST SSDF or OWASP SAMM to self-assess can provide insights into what is working, what changes need to be made, and prioritise these uplift activities.
- Train and empower your development teams – Security needs to be a shared responsibility. Providing specific and targeted training to your development teams to “think like a hacker” is one of the most effective ways to limit the number of security issues introduced.
- Make time for security – One of the biggest challenges development teams face is balancing the need to build fast and release new features with the need to secure what they’re building. Management needs to ensure that adequate time and budget is allocated for development teams to build security functionality and remediate identified issues.
- Continuously test your applications – By implementing automated security testing tools within developer workflows and providing results in real-time, potential security issues can be identified and remediated before they are ever released.
- Monitor and disclose – Continually monitor your application environment and disclose vulnerabilities to your customers. This allows customer organisations to understand their risk exposure and apply compensating controls.
- Start asking the tough questions – If you’re purchasing software, ask your vendors how they build software securely. Ask them about their vulnerability disclosure program and if they can provide a software bill of materials (SBOM) which details all the building blocks of their software so you’re able to monitor for vulnerabilities yourself.
CyberCX provides full end-to-end services to support organisations in building and maintaining secure software solutions. To learn more, reach out to [email protected]
References
- Quad Senior Cyber Group (2023, May 19). Quad Cybersecurity Partnership: Joint Principles for Secure Software. Department of the Prime Minister and Cabinet. Retrieved June 1, 2023, from https://www.pmc.gov.au/sites/default/files/resource/download/quad-joint-principles-secure-software.pdf
Author: Raafey Khan – Managing Consultant Application Security
We are hiring! CyberCX currently have open offensive roles in penetration testing, adversary simulation, and AppSec for Australia and New Zealand. If you are interested in working with the largest and most capable team in the region in a fun, rewarding, and challenging environment, please send your CV to [email protected]