The Ministry of Finance said it is working on implementing a secure software development framework (SSDF). Specifically, the Department of Financial Informatics and Statistics and the general departments under the ministry will promote the dissemination of SSDF to units manufacturing internal software for the Ministry of Finance; at the same time, gathering opinions, recommendations and proposals from software manufacturers then transferring to relevant authorities to research and issue appropriate policies, creating favorable conditions for SSDF to deploy conveniently at software manufacturers.
Mr. Nguyen Minh Dung, Expert from Information Security Department - Ministry of Information and Communications, making presentation on some new regulations of Circular No. 12/2022/TT-BTTTT and secure software development framework at the Financial Informatics and Statistics Partnership Conference organized by the Ministry of Finance in Quang Ninh in April 14, 2023. Photo: Quang Minh.
Although agencies and organizations have implemented multi-layer protection for their online applications and services in cyberspace, in reality attacks to security vulnerabilities often occur, causing many serious consequences (system information leaking, malicious infection, hijacking...).
On April 23, 2020, the National Institute of Standards and Technology under the US Department of Commerce (NIST) released a white paper to introduce the concept of secure software development framework, including recommendations applicable to software developing and operating process in order mitigate risk of software vulnerabilities. In February 2022, NIST officially published the Secure Software Development Framework (SSDF Version 1.1).
On February 10, 2022, the Department of Information Security (Ministry of Information and Communications) issued Document No. 166/CATTT-ATHTTT providing guidelines on "Secure software development framework version 1.0", based on reference to NIST's Secure Software Development Framework version 1.1. At the Directive No. 02/CT-TTg dated April 26, 2022 on developing e-Government towards digital government, promoting national digital transformation, the Prime Minister directed ministries, branches and localities to fully deploy solutions to ensure network information security, indicating: “Internal software developed by a professional units shall comply with Secure Software Development Framework process”.
SSDF provides a core set of high-level secure software development practices that can be integrated into each software development life cycle implementation, including all relevant aspects such as software development environment, software deployment environment, responses to vulnerabilities detected during software deployment,… Following these practices should help software producers provide more secured software to customers, reduce the number of vulnerabilities in released software, mitigate potential impact of the exploitation of undetected or unaddressed vulnerabilities.
To implement SSDF, software developers must equip with information security knowledge; establish new processes, rules and routines for integration of information security into software production stages; establish (or collaborate with) a specializing department dedicated to security testing and evaluating at each stage of software development cycle (designing, coding, testing, releasing, deploying , etc.); equip or hire software testing tools (white box testing, gray box testing, black box testing) and vulnerability patch management tools. SSDF requires software developers to invest in people, time and costs; thereby increasing software cost. However, in return, the software user will reduce labour and cost to handle and overcome the consequences caused by unsecure software products.
As a user of software products, the Ministry of Finance shall set requirements for software supplying partners to apply SSDF, participate in applying SSDF at stages such as: developing software security requirements; testing and accepting software design, which includes acceptance of security requirement compliance; testing and accepting software prior to releasing; participating in software deployment environment preparation; participating in software implementation, operation; conducting inspection and evaluation on information security to detect security vulnerabilities and request software development units to provide vulnerability patches; monitoring software vulnerability patches development units.
In parallel with implementation of legal provisions on ensuring information system security by level, the Ministry of Finance has gradually been practicing SSDF at the Ministry and its units, so far, meeting basic and core SSDF requirements. The Ministry of Finance shall review to supplement the missing contents to ensure full implementation of SSDF version 1.0 issued by the Information Security Department, Ministry of Information and Communications.
The question is what the Ministry of Finance needs to do to promote integration of SSDF into the software production cycle at suppliers of internal software to the Ministry of Finance. A road map is needed to get to a point where the Ministry of Finance can place SSDF requirements in its bidding documents for internal software development without having to worry about whether any bidders will meet such requirements.
The implementation of SSDF will create an additional burden on software manufacturers. However, in addition to the mandatory implementation of SSDF to meet customer requirements, software manufacturers shall look into long-term, sustainable benefits of SSDF implementation, while being able to supplement SSDF implementation cost to software developing cost without worrying about losing cost competitive advantage. In addition, the Ministry of Information and Communications shall study and promulgate additional economic - technical norms for application in preparing estimates for internal software, to ensure sufficient expenditure for implementing SSDF to internal software.