National Cyber Security Centre updates its security guidelines with the support of Software Improvement Group to harmonize standards - SIG

National Cyber Security Centre updates its security guidelines with the support of Software Improvement Group to harmonize standards

Amsterdam, The Netherlands – Monday 02-09-2024

The National Cyber Security Centre (NCSC-NL), part of the Dutch Ministry of Justice and Security, has collaborated with Software Improvement Group (SIG) to innovate its newly updated security guidelines for web applications.

Since 2012, the National Cyber Security Centre (NCSC-NL) has been publishing its ICT security guidelines for web applications. The guidelines emphasize the importance of measures to prevent digital breaches and to enhance organizational digital resilience.

In its latest update, the guidelines now reference existing standards through the OpenCRE platform for the first time. OpenCRE, an open-source platform founded through the OWASP foundation coordinates security initiatives by linking various standards and guidelines into a single resource.
“New security standards often overlap with existing ones, not always being of much added value in the overall landscape. NCSC-NL gladly helps the users of our guidelines to link the measures to other existing standards via OpenCRE. If you already comply with another standard, you do not have to take the same measure twice." – Koen Sandbrink from the NCSC-NL

"The image shows a comparison between a Dutch application security standard and its mapping to a common requirement at OpenCRE.org. On the left, a table from the Dutch standard outlines a security guideline for terminating web application sessions, including the objectives, risks, and classification, with a reference to CRE 470-731. In the middle, the OpenCRE.org interface displays the requirement to minimize session life, linking it to several CREs, including 'Ensure session timeout (soft/hard)'. On the right, the specific CRE 065-782 on OpenCRE.org elaborates on the requirement to ensure session timeout, with associated standards and sources.

OpenCRE was created by software security professionals Rob van der Veer (SIG) and Spyros Gasteratos (Smithy). CRE stands for Common Requirement Enumeration. It harmonizes security standards and guidelines into a single resource at OpenCRE.org. For the framework of the Common Requirements, Software Improvement Group (SIG), donated the SIG software security model, which is peer-reviewed, and based on ISO/IEC 25010. The model has been tried and tested since 2013 in numerous research projects and security engagements with SIG clients.
"We commend NCSC-NL for their vision and are extremely proud that OpenCRE is now used as the main reference mechanism to link to other standards. In addition, it’s great to see that SIG is acknowledged as a contributor to such an important resource.” – Rob van der Veer, co-founder of OpenCRE, and Senior Principal Expert at Software Improvement Group

OpenCRE is accelerating as a platform. Next to the NCSC-NL, organizations around the world are adopting OpenCRE, such as the Cloud Security Alliance, vendors such as Iriusrisk, Codific, and also SIG to enhance the recently released AI explanation feature in their software assurance platform, Sigrid®.

For more information, please visit OpenCRE, NCSC, or Software Improvement Group’s website.

About Software Improvement Group


Software Improvement Group (SIG) leads in traditional and AI software quality assurance, empowering businesses and governments worldwide to drive success with reliable and robust IT systems. Sigrid® - its software excellence platform - analyzes the world’s largest benchmark database of over 200 billion lines of code across more than 18,000 systems in 300+ technologies, and intelligently recommends the most crucial initiatives for organizations. SIG complies with multiple ISO/IEC standards, including ISO/IEC 27001 and 17025, and has co-developed ISO/IEC 5338, the new global standard for AI lifecycle management. SIG was founded in 2000 and has offices in New York, Copenhagen, Brussels, and Frankfurt, and is headquartered in Amsterdam.

Sigrid, together with expert consultants, and nearly 25 years of industry-leading research, position SIG as the foremost authority on software excellence.

For more information, please visit Software Improvement Group's website or social media channels.

About OpenCRE


OpenCRE is the brainchild of software security professionals Spyros Gasteratos and Rob van der Veer, who joined forces to tackle the complexities and segmentation in current security standards and guidelines. They collaborated closely with many initiatives, including SKF, OpenSSF and the Owasp Top 10 project. OpenCRE is an open-source platform overseen by the OWASP foundation