NIST proposes Secure Software Development Framework

Ever since Bill Gates fired off his famous Trustworthy Computing memo in January 2002, developing secure software has been a hot topic of discussion. It was important before then, for sure, but it was often overlooked. It took a series of high-profile worms such as Code Red and Nimda and a series of breaches to get the attention of Microsoft and kick off the initiative that would become known as Trustworthy Computing and the creation of the security development lifecycle.

Still, developing secure software has remained elusive. According to the most recent data breach investigations report, the exploitation of web applications remains a top attack vector. It’s especially challenging for small and mid-sized organizations to put the processes in place necessary to produce secure software.

The National Institute of Standards and Technology seeks to change that and help develop a secure software development framework (SSDF) that can be incorporated into each organization’s software development lifecycle.

Through August 11, NIST is seeking comments on its recently published draft paper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (pdf).

As the authors of the paper put it, few software development models explicitly address software security, which means secure development practices have to be added to the process if software is going to be developed securely. NIST’s new paper is developing recommendations for an essential set of high-level secure software development practices.

This draft paper is intended as a starting point for discussing the concept of a secure software development framework, the authors wrote. While the initial paper lacks a comprehensive take on secure software development frameworks, the authors say future versions will expand on more topics including how an SSDF may apply to different software development methodologies, and how an organization incorporate the practices specified by the SSDF into their current software development practices. “It is likely that the future work will primarily take the form of use cases so the insights will be more readily applicable to certain types of development environments,” the authors wrote.

Ultimately, the authors hope the paper prompts communication about secure software development practices among business owners, software developers, and cyber security professionals. Following the practices within the framework, meanwhile, could help software makers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity Matters – DXC Blogs authored by Cybersecurity Matters. Read the original post at: