Security Snippets: U.S., Australian regulators release joint Safe Software Development guidance

Co-authored by the Cybersecurity and Infrastructure Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC), the Safe Software Deployment guidance directs software manufacturers and cloud-based services to develop robust deployment practices.

The guidance calls for the integration of safe deployment practices throughout the software development life cycle (SDLC), particularly the early stages. It centers on security and risk management at each stage of the SLDC:  

1. Planning (including operational risk assessments, failure anticipation reviews, and platform and device diversity)
2. Development & testing (continuous unit, integration, and automated tests)
3. Internal rollout (internal teams should first test the product in real-world scenarios)
4. Deployment & canary testing (initial product access should be controlled to allow for performance monitoring)
5. Controlled rollout (deployment cadence should be gradual and take into account bandwidth to address urgent security fixes)
6. Feedback into planning (feedback loops should be integrated throughout the SDLC, including ‘near misses’)

The guidance envisions case-by-case applications of deployment safety in SDLCs based on business and customer risk tolerance.

This joint guidance is the latest in CISA’s Secure by Design campaign, which seeks to ensure that customer security is a core business requirement throughout the SDLC and informs cybersecurity best practices.

Authored by Nathan Salminen and Lorea Mendiguren.