New Guide Addresses Software Security in SDLC Models
A new white paper, published by NIST, recommends a core set of high level secure software development practices that can be added to SDLC implementation.
The National Institute of Standards and Technology is seeking the public’s opinion on how to best mitigate software vulnerabilities through draft practices as part of a software development lifecycle (SDLC).
Specifically, NIST, a non-regulatory agency of the U.S. Department of Commerce, is looking for feedback from a whitepaper it published last week (.PDF) on a set of practices, part of a secure software development framework (SSDF) – to bevadded to a SDLC – that can be used by business owners, software developers, and cybersecurity professionals.
The goal of the document is multi-pronged; it's designed to assist stakeholders in decreasing the number of security vulnerabilities in software, lowering the cost of software development, ensuring software meets prescribed requirements, and bolster efficiency throughout the organization.
"Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of 32 vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes," the document reads.
The paper breaks the practices down into four groups: practices that help prepare the organization, protect the software, produce well-secured software, and respond to vulnerability reports.
The SSDF references a handful of existing frameworks throughout, including the latest iteration of BSIMM, the BSA Framework for Secure Software, OWASP (SCP and TEST), and NIST's own SP 800-53.
The white paper makes it easy for users to map practices to tasks, implementation examples, and correlate them with the applicable frameworks.
For example, if an organization wanted to archive and protect each software release - something that could help analyze vulnerabilities after each release - they could refer to the section on protecting software. According to NIST's documentation, orgs should securely archive copies and components - code, package files, libraries, etc. - in a repository and restrict access to them. The SSDF gives several references including a fact sheet on version control in the Institute for Defense Analyses' State-of-the-Art Resources guide. Other resources for this particular practice include BSA: PD.1-6, NISTCSF: PR.IP-4, and PCISSLRAP: 5.2, 6.2
The document, put together by Donna Dodson, Chief Cybersecurity Advisor at NIST, Murugiah Souppaya, a computer scientist at NIST, and Karen Scarfone, a principal consultant for Scarfone Cybersecurity, is comprehensive but is a draft. NIST is seeking comment on the paper through August 5, 2019