Software development security is a generic term that encompasses a set of strategies that work together to protect digital data. The goal of software security is to ensure the confidentiality, integrity, and availability of information processed by an application service. It is imperative to integrate development security from the design phase and throughout the software lifecycle. By adopting this approach, developers can ensure that the software developed adheres to the best security practices. Implementing security measures after software deployment is significantly more costly and generally offers only limited protection compared to security integrated from the beginning of the process.

Following the work carried out in 2021 on software security practices, the DGSSI wishes to further strengthen the measures made available to administrations, public institutions, as well as public and private critical infrastructures to enable them to conduct the recommended tests during the development cycle in accordance with the policies and secure development frameworks in place.

In this regard, the DGSSI has developed a verification framework for application security containing a set of requirements and tests. This framework, based on version ASVS 4.0.3 published in October 2021 by the OWASP community, can be used for various purposes, including defining, building, testing, and verifying secure applications. It is based on a set of security requirements and controls based on functional and non-functional tests that must be applied during the design, development, and testing of applications. It applies to all software development models and aims to achieve two main objectives:

1.   Helping organizations develop and maintain secure applications (guide for automated unit and integration tests, guide for secure development training);
2.   Enabling security service providers, security tool providers, and consumers to align their requirements with the offerings (guide for acquiring secure software).

Furthermore, three levels of security verification have been defined. Level three represents the highest level of assurance.

•     Level 1: is a low assurance level. It includes basic penetration tests. This level is a first step towards progressively securing the applications of an entity. It is sometimes sufficient for applications that do not store or process sensitive data and therefore do not require the rigorous controls contained in levels 2 or 3.
•     Level 2: is necessary for applications that process sensitive data and require appropriate protection. This level is generally recommended for most applications.
•     Level 3: is intended for critical applications that process highly sensitive data or require a high level of trust.

Depending on risk analysis and business requirements, each organization must determine the appropriate level of requirement. Additionally, to effectively manage security issues, it is necessary to integrate a security-focused approach throughout the development process. This reduces the risk of overlooking important security requirements and avoids making critical errors in software design.