Toward a common framework for software security
- By Matt Leonard
The Business Software Alliance is creating a framework policymakers can use to develop rules and legislation related to software security, according to Tommy Ross, BSA’s senior director of policy. The International Cybersecurity Policy Framework is meant to give policymakers a common set of international standards and best practices to help them define software security so companies are not required to meet the standards set by multiple guidelines.
Angela McKay, the senior director of cybersecurity and policy strategy at Microsoft, said BSA drew inspiration from standards documents created by the National Institute of Standards and Technology, such as the NIST Cybersecurity Framework. "Our hope is that this becomes a really useful model for helping with this translation between technical folks … in the standards world and the folks who are not.”
GCN spoke recently with Ross about BSA’s framework. This interview has been edited for clarity and length.
GCN: Where did the idea for the framework come from?
Ross: We started working on it about a year ago. And as you can imagine, a lot of the work was prompted by what we saw coming down the pike in Europe with the EU Cybersecurity Act and the software duty of care discussion. A lot of our members wanted to proactively engage on developing certain certifications, regulations or whatever around software security to ensure standards were being built around things that we’ve identified as industry best practices.
GCN: Who is the audience?
Ross: I think the main target audience is policymakers and customers, but also we want it to be meaningful to software developers. We to provide a mental map of the considerations software developers should at least be thinking about – and they’ll have to go deeper than we’re providing in this framework to really understand how to address all of those things. So we’re not laying out a roadmap for how to develop software securely. But it is at least intended to provide useful pointers to that community and policymakers.
GCN: What do you think of software security policy efforts so far?
Ross: I think we’re seeing well intended efforts here in the U.S. and around the world. One of the examples I always give is the legislation -- internet-of-things security legislation -- that Sens, Cory Gardner (R-Colo.) and Mark Warner (D-Va.) introduced last year. One of the criteria for federal procurement of IoT devices that they tried to put forward in that legislation was "no known vulnerabilities in the code." That doesn’t exactly capture the nuance of the way software is being developed. As you know, software developers will often pull in third-party components, which have subcomponents and subcomponents, and some of them may call back to a library that has a known vulnerability. But [often] the software is constructed in a way that the vulnerability actually isn’t exploitable, and you know it can’t be exploited because that part of the software is not outward facing and cannot be configured to be accessed in a way to allow for exploitation. So it's that kind of thing where there is more nuance that can be brought to the discussion.
I think everyone is trying to learn right now. There are a lot of well-intentioned efforts out there, but if we were comfortable with the answers being given right now then we wouldn’t be working on this.
Another example is in the California [IoT legislation] that says you can’t have hard-coded passwords, and that devices must have reasonable security features, without defining what that means. Companies are not particularly thrilled with that approach because it means that definitions for software security, and hardware security in this case, will be hashed out in court, which is an unpredictable, less-than-ideal way of making policy.
GCN: On the topic of IoT legislation in general, do you have any insight into the Gardner/Warner legislation?
Ross: To their credit, that legislation has evolved. They’ve listened to some of our concerns and others about how to approach the nuances, and they’ve made the legislation better. And we actually support the direction they’re going in right now. I think there will be differences in the next Congress, obviously, and I don’t know how they're going to play out with that legislation. I suspect there will be more interest in the House, but [Sen. Ron Johnson (R-Wis.)] has decided thus far not to move legislation forward in the Senate. And he’s still going to be the chair, as far as I know, of the Homeland Security Committee, so I don’t know how much will change.
GCN: What is the timeline for releasing the framework?
Ross: We’re hoping to have something finalized by the first quarter of next year, but we’ve got to sprint to get there.