What is essential for Trustworthy Software?
Learn more about the Trustworthy Software Essentials scheme
Following the announcement of the Trustworthy Software Essentials scheme by the Trustworthy Software Initiative (TSI), Nexor is pleased to announce its full support for the scheme.
What is Trustworthy Software Essentials all about?
Trustworthy Software Essentials is a baseline approach to developing software and complements the more exhaustive framework defined in the PAS754:2014 standard, which was launched in 2014.
Trustworthy Software Essentials provides a way to ensure that the software we use daily is sufficiently trustworthy for purpose, whilst minimising effort and costs required to implement.
Trustworthy Software Essentials itemises a baseline set of techniques, grouped across five objectives, which can be remembered by the acronym “SCUDA”:
- Scope for use
- Coding approach
- Use tools effectively
- Defect management
- Artefact management
Watch this introductory video from the TSI to find out more about Trustworthy Software Essentials.
Why Nexor supports the introduction of Trustworthy Software Essentials
At Nexor, we welcome the launch of the baseline set of controls defined in Trustworthy Software Essentials to help those software vendors at the beginning of their journey to encompass security into their products. As well as vendors, it is important for the end users and other stakeholders in the cyber security sector to be aware of the schemes now in place in order to make informed choices.
To that end we regularly support the TSI with dissemination of this important message, including presenting on the topic of Trustworthy Software at the recent Security & Policing show organised by the UK Government’s Home Office.
The software development market is still immature in terms of its professionalism. There is a lack of defined standards for organisations to use to determine the trustworthiness of their solutions. This creates an environment where quality, in terms of the 5 facets of Trustworthiness (Security, Safety, Resilience, Availability and Reliability), is often neglected or poorly understood by the industry.
We need to raise the bar, and a very clear parallel can be seen in the UK Government’s Cyber Essentials scheme, which defines 5 basic controls that any organisation should deploy to help protect itself from cyber attack. The Cyber Essentials scheme has been widely adopted in the UK, and is helping organisations start to understand what they need to do to protect their businesses.
The aim of the Trustworthy Software Essentials standard is to do the same for software providers – it’s better to be doing the basics than nothing at all!
Nexor’s approach to secure software development
As the TSI video above outlines, Trustworthy Software Essentials is intended to support software vendors at the lower levels:
- TL 1 – Essential Practices (Software trustworthiness delivered in a due diligence manner);
- TL 2 – Assessed Practices (Software trustworthiness delivered by managed processes).
At Nexor, our software development is at the higher levels and is based on the full PAS754 standard:
- TL 3 – Enhanced Practices (Software trustworthiness delivered by established processes);
- TL 4 – Specialist Practices (Software trustworthiness delivered by predictable or optimised processes).
As a founding contributor to the overarching PAS754 Trustworthy Software Standard, all of our software is developed using our unique CyberShield Secure methodology as part of our services portfolio, and encompasses the recommendations of the PAS754 standard.
A higher level of trust is built into our software in order that it can support secure information exchange for defence, government and critical national infrastructure organisations, who need that level of assurance.
Author Bio - Andrew Kays
Andrew was the Managing Director at Nexor from 2014-17. He has extensive experience in project management and the development of secure solutions across a number of industries including defence, logistics and finance. Andrew is a Certified Secure Software Lifecycle Professional (CSSLP). In April 2017, Andrew will be setting up his own business to help the UK tackle the cyber skills shortage.
Be the first to know about developments in secure information exchange