In software development, there are risks – most commonly bugs or errors in coding – that may lead to security vulnerabilities that could be exploited in an attack. Though it is rare in the industry to have software releases that are completely error-free, bugs and other improper implementations that pose security risks should be identified and fixed. However, if the security work is limited to fixing problems found only after tests are conducted on fully developed software, such fixes – while important – may well only be cosmetic, as they may not adequately address underlying issues.
At Axis, we believe that security considerations should be addressed right from the start and throughout the development process – not just at the end. This is because multiple decisions are taken at different software development phases, from the setting of application requirements, and the design and implementation phases, to verification and deployment. In each phase, developers, architects and product owners will be making decisions that are hard to change once the software is fully built.
Axis Security Development Model
To effectively address cybersecurity and ensure that it is integrated into the software development lifecycle, Axis has put in place a methodology called the Axis Security Development Model (ASDM). It describes the different security activities that should be considered during the different phases of software development. The purpose is to reduce vulnerabilities – as well as development costs – by establishing a baseline for cybersecurity and providing guidance. It makes it easier for development teams to know what is expected and to communicate security-related decisions.
The ASDM toolbox prescribes a range of activities – risk assessment, threat modelling, threat model testing, static code analysis, vulnerability scanning and vendor assessment – that enable a variety of security problems to be addressed. Development teams may or may not engage in certain activities depending on the kind of software to be developed. ASDM provides for a risk-based approach, and it is ideal as it ensures that security-related activities are conducted when it matters the most. The goal is to achieve cybersecurity rather than to achieve compliance to a process.
All ASDM work starts with an assessment of whether a new feature or application presents a security risk. In most cases, a risk assessment is followed by, among other things, threat modelling and threat model testing. The system, the use cases, threats and countermeasures are determined. The code is reviewed and analyzed, and verification is made.
Penetration tests (simulated cyberattacks) on various Axis software are conducted yearly by specialist third-party companies. The tests, which are initiated by Axis and our partners, provide an independent review of our software and help contribute to the company’s software security efforts. The test results are used by the Axis Software Security Group to evaluate the work done through ASDM and to assess whether the ASDM needs to be improved. The same applies to findings of newly discovered vulnerabilities that are reported by external security researchers to the Axis Product Security Team. The findings of both external security researchers and third-party penetration tests help to improve our products and way of working. It is important to note that the Axis Security Development Model is a constant work in progress.
A key element of the Axis Security Development Model is its team-centric approach. The development team that creates the software is also responsible for the software’s security state. More than 1100 developers across 50 development teams at Axis apply ASDM in their daily work. Assisting the development teams with this work are more than 40 developers working in the Axis Software Security Group (SSG) and SSG satellites of first-line support. The SSG is responsible for providing training and the security toolbox, as well as following up with the various teams and making enhancements to ASDM when required. The SSG satellites, meanwhile, help tune ASDM to each team’s needs since there are many different technology stacks and ways of working. Managers and directors of the software teams are then responsible for following up on the teams’ ASDM work and for the security of the software.
ASDM was established in 2015 and became mandatory for Axis software development teams to follow in 2017. Prior to its introduction, Axis development teams followed different best practices for software development, inspired by the common Axis culture that encourages ownership, engineering pride, transparency, and peer review. While the teams achieved high-quality code, Axis had no common way of defining the preferred way of incorporating security considerations into the development process. The increased importance of cybersecurity and evolving best practices also created a need for improved ways of working.
To find a common and workable approach, Axis reviewed existing cybersecurity standards and frameworks – such as ISO 27001, IEC 62443, NIST, BSIMM and CMMC – that directly or indirectly address security in development. The common thread in these standards and frameworks is that security must be incorporated into different phases of development. They also guide users toward best practices and create a common vocabulary that makes it easier for different stakeholders to communicate around cybersecurity.
ASDM, however, is not a simple implementation of any one existing standard or framework. It adopts many beneficial aspects of different standards and frameworks, and is tailored to fit the Axis company culture and development practices. Having a tailored model allows it to be relevant for various types of software. And in an environment of continuously evolving cyberthreats and countermeasures, it is also able to accommodate new best practices. In short, ASDM enables Axis software development teams to achieve the biggest impact possible and truly integrate security into software.