The BSI TR-03185 provides a comprehensive guide for a secure software lifecycle, outlining requirements and objectives to improve software security across development and maintenance.
The EU Cyber Resilience Act (CRA) aims to improve the cybersecurity of IT products across their entire lifecycle and to oblige manufacturers to comply with appropriate security standards. Against this background, the Technical guideline TR-03185 (https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03185/TR-03185_node.html) was developed to consolidate the requirements of the BSI IT baseline protection and other standards into a comprehensive guide for a secure software lifecycle.
Target group and objectives
The guideline is aimed both at software manufacturers ("software producer") and at manufacturers as users of software. In the guideline's sense, manufacturers are natural or legal persons who develop, provide, and support software. Users, on the other hand, use software to support the software lifecycle. Both groups must consider the security requirements relevant to their respective roles.
The TR-03185 pursues the following objectives:
- Listing and grouping requirements from existing standards,
- Introducing the topic of the secure software lifecycle,
- Presenting relevant requirements in the context of information security,
- Assessing and improving the software lifecycle with regard to information security.
Processes and requirements
The guideline addresses processes and tools in the context of software creation. It distinguishes between requirements for the manufacturer in the role of producer and for the manufacturer in the role of software user.
Software user
Requirements for the manufacturer in the role of a user of off-the-shelf software include tools to support the software lifecycle that are used within the software producer's processes. The requirements are subdivided into:
- Project management: Definition and documentation of requirements for software tools, selection of suitable tools, and their secure procurement and operation.
- Documentation: Creation and maintenance of documentation for the tools used and their application.
- Test and release: Planning and execution of tests to verify software functionality and security.
- Installation: Secure installation and configuration of software.
- Patch and change management: Regular updating of software and management of changes.
- Decommissioning: Secure deletion of the software and its data.
Software producer
Requirements for the manufacturer in the role of a software producer are divided into the following areas:
- Project management: Definition and documentation of security requirements, determination of a suitable development model, and implementation of a continuous improvement process.
- Documentation: Creation of project documentation and user documentation.
- Development: Secure design and implementation of the software, including threat modeling and development-accompanying tests.
- Testing: Planning and execution of comprehensive tests to ensure software quality.
- Delivery: Ensuring the integrity and authenticity of delivered software.
- Bug fixing and vulnerability management: Procedures for handling security issues and vulnerabilities.
- Decommissioning: Secure uninstallation and deletion of the software and its data.
Conclusion
It is encouraging that the BSI is taking measures to promote secure software development. With TR-03185, the BSI provides a comprehensive guide that supports the systematic consideration of security requirements throughout the software lifecycle and thereby increases resilience against cyber attacks. The new guideline has the potential to see broad application and significantly improve the security of software products in many areas.