Secure software development and maintenance is attracting a lot of attention lately, due to the rapidly increased dependency of everyday products, services and process to the underlying software. Quite often, weaknesses behind reported security incidents and/or breaches are being materialized due to the lack of adherence on fundamental security principles and techniques. In order to promote further the assurance on the level of security or even the mitigated security threats, software development and maintenance is becoming increasingly subject to evaluation, and eventually certification, of ICT products, services and processes. Based on this, as part of ENISA activities in the area of supporting the preparatory policy discussions in the area of certification of products, services and processes, this study aims to touch upon the aspects to be considered in EU cybersecurity certification schemes (relevant to software development and maintenance).
This study discusses some key elements of software security and provides a concise overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape, related to different inherent aspects of the process. Lastly, it provides a number of practical considerations relevant to the different aspects of software development within the newly established EU cybersecurity certification framework and the EU cybersecurity certification schemes.
