Software manufacturers should implement a safe software deployment program that supports and enhances the security and quality of both products and deployment environments, new joint guidance from US and Australian government agencies underlines.
Meant to help software manufacturers ensure their products are reliable and safe for customers by establishing secure software deployment processes, the document, authored by the US cybersecurity agency CISA, the FBI, and the Australian Cyber Security Centre (ACSC) also guides towards efficient deployments as part of the software development lifecycle (SDLC).
“Safe deployment processes do not begin with the first push of code; they start much earlier. To maintain product quality and reliability, technology leaders should ensure that all code and configuration changes pass through a series of well-defined phases that are supported by a robust testing strategy,” the authoring agencies note.
Released as part of CISA’s Secure by Design push, the new ‘Safe Software Deployment: How Software Manufacturers Can Ensure Reliability for Customers’ (PDF) guidance is suitable for software or service manufacturers and cloud-based services, CISA, FBI, and ACSC note.
Mechanisms that can help deliver high-quality software through a safe software deployment process include robust quality assurance processes, timely issue detection, a well-defined deployment strategy that includes phased rollouts, comprehensive testing strategies, feedback loops for continuous improvement, collaboration, short development cycles, and a secure development ecosystem.
“Strongly recommended practices for safely deploying software are rigorous testing during the planning phase, controlled deployments, and continuous feedback. By following these key phases, software manufacturers can enhance product quality, reduce deployment risks, and provide a better experience for their customers,” the guidance reads.
The authoring agencies encourage software makers to define goals, customer needs, potential risks, costs, and success criteria during the planning phase and to focus on coding and continuous testing during the development and testing phase.
They also note that manufacturers should use playbooks for safe software deployment processes, as they provide guidance, best practices, and contingency plans for each development phase, including detailed steps for responding to emergencies, both during and after deployments.
Additionally, software makers should implement a plan for notifying customers and partners when a critical issue emerges, and should provide clear information on the issue, impact, and resolution time.
The authoring agencies also warn that customers that prefer older versions of software or configurations to avoid risks introduced in new updates may expose themselves to other risks, especially if the updates deliver vulnerability patches and other security enhancements.
“Software manufacturers should focus on improving their deployment practices and demonstrating their reliability to customers. Rather than slowing down deployments, software manufacturing leaders should prioritize enhancing deployment processes to ensure both security and stability,” the guidance reads.
Related: CISA, FBI Seek Public Comment on Software Security Bad Practices Guidance
Related: CISA, DOJ Propose Rules for Protecting Personal Data Against Foreign Adversaries
Related: Navigating Vendor Speak: A Security Practitioner’s Guide to Seeing Through the Jargon
Related: Apple Platform Security Guide Updated With Details on Authentication Features
