Principles for secure software

Secure software involves both the developer and end user

Basic assumption of the Alliance is that security of software is not only a technical issue, but also an organizational. Security of Software requires involvement of the developer and the user of software. When is software secure enough for application in a specific context?

If software security is measurable, controllable and demonstrable, software users can consciously make decisions (based on the interests of business and organization processes weighted against the risks of software) and, moreover, take measures to control risks. The buyer of software must be aware that software contains or may contain inherent insecurities and that he must set up processes to control the risks of insecure software. The provider of software often plays an important role in those control processes.

Secure software needs attention during the lifecycle

Software Security needs attention during the complete lifecycle. Threats and risks change continuously. Processes are required to manage these changes. Developers of software and organizations of software are both involved in these processes to make and keep software secure.

Secure software is the basis for trust in ICT

Software is everywhere. The Cybersecurity Act states therefore that software security is elementary for cybersecurity. By making software security measurable, manageable and controllable, the Secure Software Alliance allows parties using software to take responsibility for the software they use in a specific context.