SBN

NIST: Adopt a Secure Software Development Framework (SSDF) to Mitigate Risk of Software Vulnerabilities

This Spring, the National Institute of Standards and Technology (NIST), released updated recommendations (.pdf) to improve software resilience against vulnerabilities. This builds on an earlier, four-part framework released last year.

As the department explains:

Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure the software being developed is well secured. This whitepaper recommends a core set of high-level secure software development practices called a secure software development framework (SSDF) to be integrated within each SDLC implementation.

NIST updated the framework to provide guidance for assessing cybersecurity risks within open source components used by developers, building a software bill of materials (SBOM) to track the use and whereabouts of OSS components that may have vulnerabilities discovered in the future, and integrating automated security controls throughout the SDLC. NIST understands that secure software development practices are critical for successful digital transformations, delivering higher quality applications, and staying one step ahead of adversaries for federal agency.

In our 2019 State of the Software Supply Chain Report, we compared teams with and without automated open source governance capabilities to reveal the benefit of building applications using secure software development practices. Development teams who regularly automatically analyze and track open source components throughout the SDLC reduce the presence of known vulnerable components by 55%.

image: 2019 Software Supply Chain report

Software supply chains across industry and government are a primary target for adversaries today. The result: open source related breaches have jumped 71% over the past five years. Further, 22% of public sector developers reported a breach tied to their application development practices within the last 12 months, according to our latest DevSecOps Community Survey.Although the government sector had the highest percentage (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Jason Green. Read the original post at: https://blog.sonatype.com/nist-adopt-a-secure-software-development-framework-ssdf-to-mitigate-risk-of-software-vulnerabilities