“Earlier this Summer, the National Institute of Standards and Technology (NIST), a part of the US Department of Commerce, proposed a set of standards to address software supply chain attacks – and the growing need for better software security. recommendation is one we’re starting to see more and more of from government agencies – and something we certainly applaud.
NIST Secure Software Development Framework
NIST proposes a software design framework to support four key goals:
- Preparing the Organization
- Protecting the Software
- Producing Well-Secured Software
- Responding to Vulnerability Reports
“The practices provide flexibility for implementers, but they are also clear to avoid leaving too much open to interpretation,” says the whitepaper. NIST proposes several steps to serve each of the four goals.
For example, under “Producing Well-Secured Software,” NIST makes the following nine recommendations.
- Take Security Requirements and Risk Information into Account During Software Design
- Review the Software Design to Verify Compliance with Security Requirements and Risk Information
- Verify Third-Party Software Complies with Security Requirements
- Reuse Existing, Well-Secured Software When Feasible Instead of Duplicating Functionality
- Create Source Code Adhering to Secure Coding Practices
- Configure the Compilation and Build Processes to Improve Executable Security
- Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
- Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements
- Configure the Software to Have Secure Settings by Default
The whitepaper offers specific steps an organization should take to implement each recommendation – which is timely, as The Washington Post also revealed earlier this Summer that eight federal agencies failed to comply with ‘basic cybersecurity standards.’
A Push Toward Strong Cybersecurity Hygiene Practices
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: https://blog.sonatype.com/nist-proposes-standards-to-secure-government-sdlc