ENISA: ADVANCING SOFTWARE SECURITY IN THE EU

While I was looking after some resources for a presentation, I found this interesting lecture from ENISA.

 

Advancing Software Security in the EU

This study discusses some key elements of software security and provides a concise overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape, related to different inherent aspects of the process. Lastly, it provides a number of practical considerations relevant to the different aspects of software development within the newly established EU cybersecurity certification framework and the EU cybersecurity certification schemes.

Fundamental security principles are often overlooked during software development. This is because Security is a non functional feature.

Functional requirements are about behaviour of the system towards the outside world (e.g. a user), whereas non-functional requirements are mainly about the internal mechanisms. Many of the security requirements are non-functional; for example on how to store passwords in a database. Security requirements originate from different sources, such as
– explicit functional and non-functional requests from user(s),
– requirements and obligations originating from the underlying legal framework
– requirements that are considered as best practices, company policies, in widely accepted guidelines, from threat assessment but also, from the experience of a developer, e.g. “I always make sure my error messages don’t contain any personal information”.

Secure software development and maintenance is attracting a lot of attention lately, due to rapidly increased dependency of everyday products, services and process to the underlying software. As such, software development and maintenance is expected to be subject to evaluation, and eventually certification, of ICT products, services and processes. Based on this, as part of ENISA activities in the area of supporting the preparatory policy discussions in the area of certification of products, services and processes, this study aims to provide:
– a starting point for exploring the concept of secure software development and maintenance and
– aspects to be considered in EU cybersecurity certification schemes (relevant to software development and maintenance).

 

The end of the 16 page document is about “WHAT IS LACKING IN SOFTWARE SECURITY”:

  • CLEAR GUIDANCE
  • QUALITY ASSURANCE
  • SUSTAINED TRUST ISSUES -> The supply chain
  • ASSURANCE CLARITY BETWEEN PROCESS AND PRODUCT

 

ENISA wants to develop a common repository for shared security measures.

Such a mapping could result in the definition of a common repository for shared security aspects (access control, authorization, encryption etc), threat models and approaches against known adversary tactics, over different schemes as part of obligations introduced by Cybersecurity Act Article 55 on Supplementary cybersecurity information. Such a repository could be extended to become a knowledge sharing platform which would greatly help to reach the mentioned goals. Next to the technical requirements, this repository could also keep metadata such as: mapping to existing standards, revision history, related threats, and implementation guides for different technologies, or references to those.

 

Conclusion:
A nice document, but I would expect from ENISA to come with a real plan to action.


© Copyright 2021 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity


Check www.endpoint-cybersecurity.com for seeing the consulting services we offer.

Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie de.itsecuritynews.info für IT Sicherheits News auf Deutsch