It invites stakeholders to take part
The DGSSI wishes, through these documents, to further strengthen the mechanisms made available to administrations, public establishments as well as public and private infrastructures of vital importance.
The protection of digital data is more than ever a primary concern for public bodies. In Morocco, the Directorate General for Information Systems Security plays a central role in raising awareness and supporting these structures against cyberattacks. During the month of May alone, this Department issued more than forty security bulletins on the vulnerability of computer systems. It has recently published two reference documents in this field, in the continuity of the work developed previously. The first is an application security verification repository. The second is a good practice guide on evaluating the security maturity of the software development life cycle.
Provide end-to-end protection
The DGSSI wishes, through these documents, to further strengthen the mechanisms made available to administrations, public establishments as well as public and private infrastructures of vital importance. This is to allow them to carry out the recommended tests during the development cycle in accordance with the policies and secure development standards in force, indicates the DGSSI. Said framework is based on a set of security requirements and controls based on functional and non-functional tests that must be applied during the design, development and testing of applications. It applies to all models of software development. The objective is to help public bodies develop and maintain secure applications and enable security service providers, security tool providers and consumers to align their requirements with the offers offered. “The objective of software security is to ensure the confidentiality, integrity and availability of information processed by an application service. It is imperative to integrate security from the design phase, and to respect it throughout the life cycle of the software. By adopting this approach, developers can affirm that the software developed respects the best security practices. The implementation of security measures after the deployment of software is significantly more expensive and generally offers only limited protection compared to the security integrated from the start of the process following this reference system”, indicates the DGSSI. Indeed, it is essential to include the security component throughout the development process to effectively manage security issues. “This reduces the risk of ignoring security requirements that may be important on the one hand and on the other hand, to avoid making critical errors in the design of the software”, notes the same source. It must be said that software development security is an umbrella term that involves establishing a set of strategies that work together to help protect digital data. As the DGSSI explains in its document, “the objective of software security is to ensure the confidentiality, integrity and availability of information handled by an application service”.
The different levels of security
Three levels of security verification have been selected. The third represents the highest level of assurance while the first is a low level of assurance. It includes classic intrusion tests. This level constitutes a first step in progressively securing an entity’s applications. It is also sometimes sufficient for applications that do not store or process sensitive data and therefore do not require the stringent controls contained in Levels 2 or 3. Level 2 is necessary for applications that contain sensitive data and which require appropriate protection. This level is generally the recommended level for most applications. Level 3 is intended for critical applications, which process highly sensitive data, or which require a high level of trust. “Based on the analysis of risk and business requirements, each organization must determine the appropriate level of requirement. Also, to effectively manage security issues, it is necessary to integrate security-focused thinking throughout the development process. This reduces the risk of ignoring security requirements which may be important on the one hand and on the other hand, to avoid making critical errors in the design of the software.
75% of attacks target software
About 75% of attacks on the Internet have exploited security flaws specific to software, indicates the DGSSI referring to the firm “Software Improvement Group”. Management recommends integrating the notion of risk into the life cycle of software development projects. The objective is to propose a series of actions, spread over the entire design and development cycle of a product and which fits into the existing project methodology of each entity. “The involvement of all stakeholders (Developers, Security/Risk Managers, Operations) is a guarantee of security in this process”, underlines the same source. In this sense, the DGSSI has drawn up a guide relating to the maturity of the software development cycle. The proposed approach can be applied to all types of projects. This is to “further develop the culture of application security at the national level”. From there, the DGSSI invites all the stakeholders to carry out the assessment proposed in this document and to inform it of the results in order to consolidate a document relating to the maturity of the security of the software development cycle at the national level.