2024: It's time to upgrade the development of secure software. New GOST adopted
In mid-June, the technical committee of Rosstandart No. 362 voted to update the standard GOST R 56939 "Information Protection. Development of secure software. General requirements[1]. It is assumed that within the next 6 months the new text of the standard will be published by Rosstandart, and it will enter into force on January 1, 2025. This time, such Russian developers as Kaspersky Lab, Positive Technologies, InfoTeCS and others took an active part in the development. The standard is applied, in particular, when certifying means of protection according to the requirements of Order No. 76 of the FSTEC by levels of trust.
As noted by Karina Nakadovskaya, head of the Kaspersky Lab certification and compliance center, the version of the GOST R 65939-2016 standard was timely, but assumed the integrity of organizations implementing secure development and the competence of experts. At the same time, the demand for software security and the expansion of the security aspects covered by standardization have now significantly increased. The description of measures in the previous standard did not allow to assess the quality of implementation of each measure and its impact on the safety of the final product. That is why it was necessary to revise the standard, taking into account current requirements and with the participation of companies that have already implemented the provisions of the previous version of the standard.
Work on the new version of GOST R 65939 began in October 2022, and by November 2023 it was presented in the program committee No. 4 of TK 362 for discussion among its participants. A working group was formed to finalize the standard, which included ten companies, including those listed above. Together they prepared a new text of the standard, taking into account a wide variety of comments submitted during public discussion. Moreover, the most comments were on the section "Development processes" - 341, in second place "Terms and definitions" - 85, in third place "General requirements" - 48 and "General comments" - 42. By April 2024, the second version of the standard was developed, which was submitted for voting.
It should be canceled that "General Requirements" is the first standard in the series. According to Karina Nakadovskaya, it is also planned to develop a "Methodology for assessing the implementation of safe software development processes" and a "Guide for the implementation of safe software development processes." They will form a common set of standards that will stimulate developers to improve the quality of software development processes in terms of its safety.
Now, until the regulatory framework is fully formed and there is only an accepted standard for general requirements, we will work based on how the processes of developing secure software are implemented for a certain group of software products, "explained TAdviser how the standard will be used Vartan Padaryan, Ph.D. - M.N. and Head of the Laboratory of the ISP RAS. - We intend to use it for some logically linked technological nest of products that have a strong intersection along a narrow base and which are developed by one development team and implementing new functionality. At the same time, within the organization, perhaps some processes are implemented by separate common commands: DevOps, pentesters, internal audit. A composite fuzzing team is possible when there are product testers who interact with company-wide fuzzing specialists. One way or another, in the process of certification, contacts should be established with these people and an assessment of their competencies should be carried out. |
Actually, Kaspersky Lab has already applied for an audit according to the new version of the standard - the company is going to be the first tester of new standards. Astra Group of Companies also announced its joining the testing process of new standards.
{{quote 'In the process of pilot testing, we will look at the processes described in the standard that will be submitted for certification, how technologies are used in them, what people these processes serve and how these processes are provided with resources, "Vartan Padaryan explained. - These are not only documents, but, first of all, the actual side of the case - how everything works in the company. Only the fact of general compliance of the company will be included in the final certificate within the framework of the transition period. Moreover, according to the GOST R 65939-2016 standard. Within the current standard, we can only give a binary estimate - either corresponds or not.
A national standard is being developed to assess the compliance of safe software development processes. The leader is Kaspersky Lab. We are keen that by the end of this year we have already gone through the public comment stage so that by January 1, 2025, there is already a stabilized revision, which will become the methodological basis for the inspections being carried out, so that the tasks of certification of processes can be scaled up throughout the country. This standard will already provide for maturity levels. I can assume that there will be some regulatory enhancements for information protection developers to meet the new standard.}}