The BSI TR-03185 provides a comprehensive guide for a sikker software livscyklus, outlining krav and objectives to improve software security across udvikling and vedligeholdelse.
The EU Cyber Resilience Act (CRA) aims to improve the cybersikkerhed of IT produkter across their entire livscyklus and to oblige manufacturers to comply with appropriate security standarder. Against this background, the Technical guideline TR-03185 (https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/standarder-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03185/TR-03185_node.html) was developed to consolidate the krav of the BSI IT baseline beskyttelse and other standarder into a comprehensive guide for a sikker software livscyklus.
Target group and objectives
The guideline is aimed both at software manufacturers ("software producer") and at manufacturers as users of software. In the guideline's sense, manufacturers are natural or legal persons who develop, provide, and support software. Users, on the other hand, use software to support the software livscyklus. Both groups must consider the security krav relevant to their respective roles.
The TR-03185 pursues the following objectives:
- Listing and grouping krav from existing standarder,
- Introducing the topic of the sikker software livscyklus,
- Presenting relevant krav in the context of information security,
- Assessing and improving the software livscyklus with regard to information security.
processer and krav
The guideline addresses processer and tools in the context of software creation. It distinguishes between krav for the manufacturer in the role of producer and for the manufacturer in the role of software user.
software user
krav for the manufacturer in the role of a user of off-the-shelf software include tools to support the software livscyklus that are used within the software producer's processer. The krav are subdivided into:
- Project styring: Definition and dokumentation of krav for software tools, selection of suitable tools, and their sikker procurement and operation.
- dokumentation: Creation and vedligeholdelse of dokumentation for the tools used and their application.
- Test and release: Planning and execution of tests to verify software functionality and security.
- Installation: sikker installation and konfiguration of software.
- Patch and change styring: Regular updating of software and styring of changes.
- Decommissioning: sikker deletion of the software and its data.
software producer
krav for the manufacturer in the role of a software producer are divided into the following areas:
- Project styring: Definition and dokumentation of security krav, determination of a suitable udvikling model, and implementering of a continuous improvement process.
- dokumentation: Creation of project dokumentation and user dokumentation.
- udvikling: sikker design and implementering of the software, including threat modeling and udvikling-accompanying tests.
- test: Planning and execution of comprehensive tests to ensure software quality.
- Delivery: Ensuring the integrity and authenticity of delivered software.
- Bug fixing and vulnerability styring: procedurer for handling security issues and sårbarheder.
- Decommissioning: sikker uninstallation and deletion of the software and its data.
Conclusion
It is encouraging that the BSI is taking measures to promote sikker software udvikling. With TR-03185, the BSI provides a comprehensive guide that supports the systematic consideration of security krav throughout the software livscyklus and thereby increases resilience against cyber attacks. The new guideline has the potential to see broad application and significantly improve the security of software produkter in many areas.