ITL signed the manifesto for secure software development

At a time when digitisation has become the norm in almost all fields, it is necessary to pay serious attention to the security of the digital space. The development companies that are members of the Estonian Association of Information Technology and Telecommunications (ITL) want to take on a greater role and responsibility in the secure development of the software they create and have signed a manifesto, i.e., the good practice of secure software development.

Juhan-Madis Pukk, President of ITL, stresses that the initiative of companies sharing common values will give a positive impetus to highlighting the importance of cybersecurity in society and will also benefit the whole sector. “If, for example, an architect starts designing a building in cooperation with a builder, the builder is not interested in what software the architect uses for their work – the specifics should be up to the specialists to decide. However, the important thing is that using secure software should be the norm in both private companies and the public sector. The employees of a company that has accepted the good practice of ITL and their customers will receive confirmation that investing in security is important for the organisation and that best practices are in place to ensure the security of the solutions to be created.”

A number of large companies, who see a sharp increase in digitalisation, are behind the joint initiative.
Ats Albre, member of the board of ITL and CEO of Nortal AS, was one of the initiators of the good practice in the association. “We would like the software created in Estonia to be a security benchmark throughout the world. The decision to sign the manifesto requires a critical assessment of one’s actual capabilities from the subscriber, because we take responsibility for ourselves and our clients. For us, signing up is a sign of quality and a promise to customers that the security of software development is well-managed, integrated, evolving, and responsible.”

“Analysts, architects, and programmers cannot develop secure software alone – an owner of a company must also set security as a priority,” said Arne Ansper, Chief Technology Officer at Cybernetica. “Cybernetica has decades of experience in developing secure software to the highest standards, and we believe that all systems should have as little attack surface as possible. It is for this reason that we participated in drawing up this manifesto to promote secure and privacy-oriented system development.”
Just as important as the promise of the IT company to be a partner offering secure software solutions is the awareness and ability of customers, or service buyers, to order secure software.

According to Kalev Pihl, Chairman of the Board of SK ID Solutions AS, as a customer, their company is definitely above average in their demands, but understandably, such competence is not available to everyone. “On the other hand, we also think that, as a customer, one should not try to write everything in the contracts – a good level of information security hygiene from IT engineers should be a given. Those who follow the good practice take this responsibility without the contractual partner having to specifically set this as a requirement, which in turn allows the company to focus on other things when ordering IT work and significantly reduces fears regarding critical investments.”

At the moment, 21 development companies have joined the good practice for secure software development established by ITL.

IT companies call on all software development companies to follow the good practice: entrepreneurs and subscribers, ask for secure software development and ensure that your business-critical processes will not be vulnerable in the future; contracting authorities, include in the tender specifications the requirement to comply with the good practice for secure software development.

As the importance of managing risks and threats related to cybersecurity and the potential damage only grows over time, the ITL, as an advocate for digitalisation, also sees itself playing an increasingly important role in ensuring cybersecurity. Therefore, the development companies that are members of ITL want to take a greater role in the secure development of the software they create.

Our software security strategy is:

• managed – includes targeted and coordinated activities,
• integrated – part of software development processes and methodologies,
• evolving – based on modern knowledge,
• responsible – ensures that risks are regularly explained to customers.

More specifically, from the point of view of the development company, this means that:

• We consider that the safe development of software requires separate management.

o Each software project has a security-focused role that ensures that good security practices are followed and the implementation is consistent throughout the project.
o We have a person responsible for security as a separate competency who ensures an adequate level of security knowledge for the organisation.

• We integrate security measures into our processes.

o We recognise that a one-time audit or penetration test will not produce a consistent result over time, and security will need to be re-validated in the event of system changes and on a regular basis to mitigate the risk of supply chain attacks.
o We automate software security by implementing automated testing, code analysers, and other widely used tools in software construction processes (CI).
o We know that one of the biggest security risks is functionality that is not really needed. We avoid creating unnecessary complexity and using complex technology or unreasonable tools.

• We follow the guidelines and best practices for the safe development and use of the programming languages, frameworks, and environments that we use, and we continually improve our skills.

o We ensure that all our employees receive regular security training appropriate to their role and responsibilities.
o We use modern technologies that continue to evolve.
o We keep abreast of trends and risks in the field of cybersecurity and adjust our systems, processes, and methodologies accordingly.

• We explain security related aspects to the customer and do not expect them to worry about such issues themselves.

o We recommend that the customer abandon risky functionalities that threaten security and help them find alternative solutions.
o We clearly and unambiguously communicate to customers the significant risks associated with software solutions and their possible consequences.
o We respond immediately to major incidents. We inform both the client and CERT-EE.