Manifesto for secure software development

ITL companies want to take on a greater role and responsibility in the secure development of the software they create.

At a time when digitisation has become the norm in almost all fields, it is necessary to pay serious attention to the security of the digital space. The development companies that are members of the Estonian Association of Information Technology and Telecommunications (ITL) want to take on a greater role and responsibility in the secure development of the software they create and have signed a manifesto, i.e., the good practice of secure software development.

Juhan-Madis Pukk, President of ITL, stresses that the initiative of companies sharing common values will give a positive impetus to highlighting the importance of cybersecurity in society and will also benefit the whole sector. “If, for example, an architect starts designing a building in cooperation with a builder, the builder is not interested in what software the architect uses for their work – the specifics should be up to the specialists to decide. However, the important thing is that using secure software should be the norm in both private companies and the public sector. The employees of a company that has accepted the good practice of ITL and their customers will receive confirmation that investing in security is important for the organisation and that best practices are in place to ensure the security of the solutions to be created.”

A number of large companies, who see a sharp increase in digitalisation, are behind the joint initiative.
Ats Albre, member of the board of ITL and CEO of Nortal AS, was one of the initiators of the good practice in the association. “We would like the software created in Estonia to be a security benchmark throughout the world. The decision to sign the manifesto requires a critical assessment of one’s actual capabilities from the subscriber, because we take responsibility for ourselves and our clients. For us, signing up is a sign of quality and a promise to customers that the security of software development is well-managed, integrated, evolving, and responsible.”

“Analysts, architects, and programmers cannot develop secure software alone – an owner of a company must also set security as a priority,” said Arne Ansper, Chief Technology Officer at Cybernetica. “Cybernetica has decades of experience in developing secure software to the highest standards, and we believe that all systems should have as little attack surface as possible. It is for this reason that we participated in drawing up this manifesto to promote secure and privacy-oriented system development.”
Just as important as the promise of the IT company to be a partner offering secure software solutions is the awareness and ability of customers, or service buyers, to order secure software.

According to Kalev Pihl, Chairman of the Board of SK ID Solutions AS, as a customer, their company is definitely above average in their demands, but understandably, such competence is not available to everyone. “On the other hand, we also think that, as a customer, one should not try to write everything in the contracts – a good level of information security hygiene from IT engineers should be a given. Those who follow the good practice take this responsibility without the contractual partner having to specifically set this as a requirement, which in turn allows the company to focus on other things when ordering IT work and significantly reduces fears regarding critical investments.”

At the moment, 21 development companies have joined the good practice for secure software development established by ITL.

IT companies call on all software development companies to follow the good practice: entrepreneurs and subscribers, ask for secure software development and ensure that your business-critical processes will not be vulnerable in the future; contracting authorities, include in the tender specifications the requirement to comply with the good practice for secure software development.