دانلود کتاب Advancing Software Security in the EU: The role of the EU cybersecurity certification framework

Secure software development and maintenance is attracting a lot of attention lately, due to the rapidly increased dependency of everyday products, services and process to the underlying software. Quite often, weaknesses behind reported security incidents and/or breaches are being materialized due to the lack of adherence on fundamental security principles and techniques. In order to promote further the assurance on the level of security or even the mitigated security threats, software development and maintenance is becoming increasingly subject to evaluation, and eventually certification, of ICT products, services and processes. Based on this, as part of ENISA activities in the area of supporting the preparatory policy discussions in the area of certification of products, services and processes, this study aims to touch upon the aspects to be considered in EU cybersecurity certification schemes (relevant to software development and maintenance).
This study discusses some key elements of software security and provides a concise overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape, related to different inherent aspects of the process. Lastly, it provides a number of practical considerations relevant to the different aspects of software development within the newly established EU cybersecurity certification framework and the EU cybersecurity certification schemes. These considerations are listed below:
 Manufacturer(s) or provider(s) of certified ICT products, ICT services or ICT processes, should explore the deployment and maintenance of repositories not only for publicly disclosed vulnerabilities but also for shared security aspects of certified products, services and processes towards aligning on requirement commonalities and ways to mitigate common security risks.
 Following the publication of the Union Rolling Work Programme, European Standards Organizations (ESOs) and Standards Developing Organization (SDOs) should coordinate on the priority areas they can support, put forward standardization activities to benefit the future developed schemes and communicate periodically such planning to the EC and relevant CSA stakeholders.
 EU cybersecurity certification schemes for products, services and process should include, to the extent possible, not only requirements for the end product/service/process but also assurance for the engineering process, by setting process guidelines for software development, maintenance and operation.
 During the development of EU cybersecurity certification schemes, lightweight conformity assessment methods for the basic assurance level should be considered as a response to the existing fragmented landscape of software development and maintenance.
 Software developers and product manufacturers should put forward their experience and expertise and promote the uptake of EU cybersecurity certification schemes.