[Improvement] Expand definitions section for (1) Secure Software Development to include Secure Programming Techniques and (2) Security Testing to include Static and Dynamic

[shanecoughlan]

Based on https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/18, we agreed that a future task is to update the Security Assurance Specification Definitions section as follows:

(1) Secure Software Development to include Secure Programming Techniques and (2) Security Testing to include Static and Dynamic

[shanecoughlan]

This topic is about adding or expanding Security Assurance Specification Definitions to help readers get context for the domain under consideration.

Suggested Resolutions:

Add

2.X - Secure Software Development A process for the development of software using secure programming techniques.

==

Change

2.13 - Security Testing A process for the analysis of software (or other components) that allows for understanding their current and potential future management in the context of Known Vulnerabilities.

to:

2.13 - Security Testing A process for the analysis of software (or other components) that allows for understanding their current and potential future management in the context of Known Vulnerabilities. This should include addressing static and dynamic software interactions.

[shanecoughlan]

On call of 2024-05-07 we evolved to:

Add:

2.X - Secure Software Development A process for the development of software using secure programming techniques and using best practices for code quality.

Adjust:

2.13 - Security Testing A process for the analysis and monitoring of software (or other components) that allows for understanding their current and potential future management in the context of Known and Unknown Vulnerabilities. This may include addressing static and dynamic software interactions using techniques such as static application security testing (SAST) / dynamic application security testing (DAST), pentesting, malware testing and/or SCA scanning.

[shanecoughlan]

Comments ahead of North America / Asia call in two weeks please.

[Dr-wood]

Adjust:

2.13 - Security Testing A process for the analysis and monitoring of software (or other components) that allows for understanding their current and potential future management in the context of Known and Unknown Vulnerabilities. This would include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST), pentesting, malware testing and/or SCA scanning. For Instance refer to NIST Secure Software Development Framework (SSDF) SP800-218 for best practices.

Static and Dynamic linking of libraries to applications is a Licensing area of concern.

[shanecoughlan]

Action item (1)

Change: This may include addressing static and dynamic software interaction to This would include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST)

== Using our main standard words ==

This should include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST)

== Standard words from the definition ==

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as:

"MUST" This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

"MUST NOT" This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

"SHOULD" This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

"SHOULD NOT" This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

"MAY" This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

These definitions are originally from IETF RFC 2119: https://www.ietf.org/rfc/rfc2119.txt

== STATUS ==

Accepted on call 2024-05-21.

[shanecoughlan]

Action item (2)

Add: For Instance refer to NIST Secure Software Development Framework (SSDF) SP800-218 for best practices.

Note raised on call 2024-05-21: need to cite exact version to ensure long-term understanding even if things change. Therefore: For instance, this may include using NIST SP 800-218 Secure Software Development Framework (SSDF) for best practices.

== STATUS ==

Accepted on call 2024-05-21.

[shanecoughlan]

Action item (3)

Add: Static and Dynamic linking of libraries to applications is a Licensing area of concern.

to 2.13 - Security Testing

Security Testing definition is focused on referencing static application security testing (SAST) / dynamic application security testing (DAST): "This should include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST)"

Adding topic of library linking adds potential for confusion, and is therefore excluded for this section. It could always be added to another definition about linking and licensing, not security testing.

== STATUS ==

Rejected on call 2024-05-21.

[shanecoughlan]

Result is adjust:

2.13 - Security Testing A process for the analysis and monitoring of software (or other components) that allows for understanding their current and potential future management in the context of Known and Unknown Vulnerabilities. This would include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST), pentesting, malware testing and/or SCA scanning. For Instance refer to NIST Secure Software Development Framework (SSDF) SP800-218 for best practices.

Static and Dynamic linking of libraries to applications is a Licensing area of concern.

To:

2.13 - Security Testing A process for the analysis and monitoring of software (or other components) that allows for understanding their current and potential future management in the context of Known and Unknown Vulnerabilities. This should include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST), pentesting, malware testing and/or SCA scanning. For instance, this may include using NIST SP 800-218 Secure Software Development Framework (SSDF) for best practices.

[shanecoughlan]

Issue is closed and Shane will merge with 2.0 draft.

[Dr-wood]

   Shane If these organizations want to establish that their processes conform to secure programming techniques then the word “should” is not sufficient. That phrase needs to be changed to a “shall” or at the very least a “must” as follows:

“This “must” include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST)…”. In my opinion.

If it remains a “should” then it will likely not meet the needs for Secure Programming per US and EU regulations for government use thereby negating the allure of open-source software and a way to more quickly and cheaply develop software for the governments. Again, my opinion…. Chris

On May 20, 2024, at 8:35 PM, Shane Coughlan @.***> wrote:  Action item (1)

Change: This may include addressing static and dynamic software interaction to This would include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST)

== Using our main standard words ==

This should include using techniques such as static application security testing (SAST) / dynamic application security testing (DAST)

….snipped…..

[Dr-wood]

ShanePlease see my note on this subject earlier today. “Should” is not sufficient to meet the secure programming requirement. “Shall”or “must” would be more acceptable.  Best Regards Chris

[shanecoughlan]

Hi @Dr-wood

Well noted.

At the beginning of the definitions we list the IETF words for standards as per below (end of message for full list).

This was the context of the discussion on the call:

"SHOULD" This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

"MUST" This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

Because we are in the definitions section of the spec rather than in the requirements section, all of the text is guidance by nature, but it was felt on the call that MUST could be mis-read as a requirement of the specification instead of SHOULD being an example (in the definitions section) that needs serious thought.

However, well-taken point that SHOULD on these items does not reflect that without them an organization would effectively not meet the baseline requirements emerging around the world. It strikes me that the solution may be to specifically cite at least one of those requirements to reflect that "it's not us being prescriptive, it is the market reality under emergency regulation."

Do you know if NIST SP 800-218 Secure Software Development Framework (SSDF) includes such requirements? If that was the case, because of its citation immediately after, the use of MUST perhaps could be regarded as "already given context here."

== Standard words from the definition ==

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as:

"MUST" This word, or the terms "REQUIRED" or "SHALL", mean that the definition is an absolute requirement of the specification.

"MUST NOT" This phrase, or the phrase "SHALL NOT", mean that the definition is an absolute prohibition of the specification.

"SHOULD" This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.

"SHOULD NOT" This phrase, or the phrase "NOT RECOMMENDED" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.

"MAY" This word, or the adjective "OPTIONAL", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option MUST be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option MUST be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

These definitions are originally from IETF RFC 2119: https://www.ietf.org/rfc/rfc2119.txt

[shanecoughlan]

@Dr-wood quick ping on this.

[shanecoughlan]

As per call of 2024-06-04, this will remain closed unless momentum appears to reverse the decision previously taken by the group.