Underpinning software security: the role of the EU cybersecurity certification framework

Back to News

The EU Agency for Cybersecurity publishes a study on existing approaches for secure software development and maintenance while highlighting aspects to be considered under the EU cybersecurity certification framework.

Secure software development and maintenance is attracting a lot of attention lately, due to the rapidly increased dependency of everyday products, services and processes to the underlying software.

Quite often, weaknesses behind security incidents and/or breaches materialize due to the lack of adherence on fundamental security principles and techniques. In order to promote increased levels of security and to improve mitigation of known security threats, secure software development and maintenance is becoming increasingly subject to evaluation, and eventually certification.

The ENISA Report - Advancing Software Security in the EU discusses some key elements of software security and provides an overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape. Lastly, it provides a number of practical considerations relevant to the different aspects of software development within the EU cybersecurity certification framework. These considerations include:

  • issues related to the deployment and maintenance of repositories not only for publicly disclosed vulnerabilities but also for shared security aspects of certified products, services and processes;
  • coordination of activities among European Standards Organizations (ESOs) and Standards Developing Organization (SDOs);
  • possibilities to complement EU cybersecurity certification schemes with guidelines for software development, maintenance and operation;
  • consideration of lightweight conformity assessment methods for basic assurance level  as a response to the existing fragmented landscape of software development and maintenance;
  • possibilities to leverage existing experience and expertise and promote the uptake of EU cybersecurity certification schemes

The study was conducted as part of the Agency’s preparatory and support activities in the area of certification of products, services and processes. It is envisioned to be used as a reference document that complements similar ongoing initiatives at National level, during drafting of candidate cybersecurity certification schemes and as a non-binding guidance document for EU cybersecurity certification framework stakeholders.

 

Further Information

The ENISA Report - Advancing Software Security in the EU

For interviews and press enquires, please contact press@enisa.europa.eu