Today’s columnist, Rohit Sethi of Security Compass, says security teams need to focus more on standards that deal with secure software development, such as NIST’s 800-160 publication. AnotherPintPlease... CreativeCommons CC BY-NC-SA 2.0

When the general public thinks of cybersecurity, they often focus on firewalls, encryption and ransomware. It’s a reasonable approach, considering the growing computing landscape and the threats that accompany cloud deployments, mobile computing, and the Internet of Things (IoT). Yet, people often overlook the security of individual software and software-enabled products that organizations purchase, a fundamental component for overall cybersecurity.

Of course, some organizations consider some kind of security when procuring software, such as looking for ISO/IEC 27001 certification. However, buyers generally do not seek out product security-specific standards and certifications.

Companies need to understand why they should dig deeper into the security of the software products they bring into their environments and push vendors to provide more evidence that their offering was in fact built with an appropriate degree of security throughout the lifecycle. There are a few steps organizations can take to gauge the security of the products they purchase.

By educating themselves about the emerging field of product security and demanding that vendors deliver appropriately certified products, they improve their own security postures and enhance the security of the knowledge economy overall. If customers create the demand, it will force vendors to keep up or face obsolescence.

General standards fall short

The importance of product security isn’t a new idea. In 2002, Bill Gates announced Microsoft’s Trustworthy Computing (TwC) initiative after hearing concerns from major customers such as government agencies and financial corporations about the inherent threats lurking in software.

Since then, information security standards have emerged and improved. Regulators and standards bodies in many jurisdiction and industries have created hundreds of other cybersecurity laws and standards.

However, too few customers are asking that vendors conform to standards that are specific to software products. They often fall back on asking about general cybersecurity standards such as ISO/IEC 27001 or even SOC II. Although it’s important to have an overall cybersecurity framework, its breadth of focus often leads to minimal coverage of secure software products. That means vendors place less emphasis on building secure products to meet the “minimum” compliance bar.

In the interim, some progressive standards bodies have also developed security benchmarks and guidance more specifically focused on secure software products. For example, the Payment Card Industry (PCI) standard recently created the Software Security Framework (SSF) in recognition of the important role software products play in the payments ecosystem. Other examples include the International Society for Automation 99 (ISA99)’s IEC 62443 for industrial control systems and the National Institute of Standards and Technology’s (NIST) Special Publication 800-160 on systems security engineering.

Will vendors be left behind?

The industry needs to push the software companies and require the vendors to conform with software-specific standards on top of broad cybersecurity standards. Customers can move companies in this direction by simply asking about product security standards and certifications in procurement.

Customers that become familiar with security standards can start by asking the following questions:

  • Does the vendor have software security certifications and/or documentation, as well as cybersecurity standards like ISO/IEC 27001?
  • Is there a way for users to report security issues?
  • Does the vendor have a bug bounty program?
  • Does the vendor advertise publicly how they integrate security into the way they build products?

The more customers ask for product security, the more emphasis vendors will put on making it a priority, to the point where specific product security becomes a selling point, touted as a product advantage. Evaluating how a vendor promotes their security practices, and inquiring about ways to report security issues directly with a vendor, would serve as a great starting point.

To bring about this change, it’s probably best to start with corporate procurement becoming familiar with software security designations. The financial industry and many defense organizations, for example, often ask detailed questions related to software security. But just about everybody else—from retailers and the hospitality industry to transportation operations—tend to put less emphasis on software security.

If organizations focus on purchasing software with tighter product security, vendors will quickly get the message, because if they don’t get on board, they risk losing revenue. This will result in more secure products and fewer incidents that compromise sensitive data.

Rohit Sethi, chief executive officer, Security Compass