Access Control Video Surveillance

Axis Addresses Cybersecurity Risks in Software Development with a Native Security Model

Axis Communications, a Swedish company that specializes in network video surveillance and access control solutions, has implemented an internally developed methodology called the Axis Security Development Model – ASDM. The ASDM provides a baseline for cybersecurity by describing different security activities that should be considered throughout the software development phases, with a focus on communication between all stakeholders involved. This includes the setting of application requirements, design and implementation, verification, and deployment. As part of this process, developers, architects, and product owners are held accountable for making critical decisions that are hard to change once the software is fully built.

The ASDM toolbox recommends various security activities such as risk assessment, threat modeling, threat model testing, static code analysis, vulnerability scanning, and vendor assessment. Depending on the type of software to be developed, development teams can choose to either engage in certain activities or avoid them altogether. ASDM provides a risk-based approach, ensuring that security-related activities are conducted when they matter the most, rather than solely focusing on compliance with a process. The goal is to achieve cybersecurity by reducing vulnerabilities and development costs.

This methodology has been developed as Axis acknowledges the existence of security risks such as coding bugs and errors that may lead to security vulnerabilities that could be exploited in an attack. Although it is uncommon in the industry to have error-free software releases, security risks should be identified and addressed to the highest feasible degree possible, and not fixed after tests are conducted on fully developed software.

How Does ASDM Work?

Working with ASDM begins with an assessment of whether a new feature or application poses a security risk. A risk assessment is followed by threat modeling and testing during which the use cases, threats, and countermeasures are determined. The code is reviewed and analyzed, while verification is done to promote cybersecurity. By adopting the Axis Security Development Model, Axis wants to integrate security into software development to effectively reduce security risks.

Axis conducts regular penetration tests, or simulated cyberattacks, on its software with the help of third-party companies. These tests offer an unbiased review of the company’s software and aid in enhancing its overall security efforts. Next, the Axis Software Security Group uses the results of the tests to evaluate the progress made through its Security Development Model (ASDM) and determine areas for improvement.

The Axis Product Security Team also takes into consideration any newly discovered vulnerabilities reported by external security researchers to enhance their products and way of working. It’s crucial to note that the Axis Security Development Model is an ongoing process, continuously evolving and improving.

One of the more significant aspects of the Axis Security Development Model is that it is a team-centric approach. The development teams responsible for creating the software are also accountable for its security. More than 1100 developers across 50 development teams use ASDM in their daily work. The Axis Software Security Group (SSG) provides training and the security toolbox, while also following up with the various teams to improve ASDM where necessary.

Moreover, the SSG satellites help fine-tune ASDM to each team’s unique needs since there are various technology stacks and operational practices. The software team managers and directors are responsible for overseeing their team’s ASDM work and ensuring the software’s overall security.

Why Was ASDM Launched?

Axis Communications developed the Axis Security Development Model (ASDM) in 2015, and it was made mandatory for all software development teams at the company to follow in 2017. Before its implementation, each development team had its own best practices for software development that were influenced by Axis’ culture of ownership, engineering achievements, transparency, and peer review. Although the teams produced high-quality code, there was no common approach to incorporating security considerations into the development process. Furthermore, the increasing importance of cybersecurity and the development of best practices created a need for better ways of working.

To establish a common and effective approach to cybersecurity, Axis evaluated existing cybersecurity standards and frameworks, such as ISO 27001, IEC 62443, NIST, BSIMM, and CMMC, that directly or indirectly address security in development. The standards and frameworks highlight the importance of integrating security into different stages of the development process and provide guidelines for best practices, as well as a common vocabulary for communication around cybersecurity.

However, ASDM is not simply a one-size-fits-all implementation of an existing standard or framework. Instead, it incorporates useful elements from various standards and frameworks and is customized to align with Axis’ company culture and development practices. This tailored model ensures its relevance for different types of software and its ability to accommodate new best practices as cyber threats and countermeasures continue to evolve. Finally, ASDM enables Axis software development teams to integrate security into their software and achieve the most significant impact possible.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *