The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

New Guide Addresses Software Security in SDLC Models

by Chris Brook on Tuesday June 18, 2019

Contact Us
Free Demo
Chat

A new white paper, published by NIST, recommends a core set of high level secure software development practices that can be added to SDLC implementation.

The National Institute of Standards and Technology is seeking the public’s opinion on how to best mitigate software vulnerabilities through draft practices as part of a software development lifecycle (SDLC).

Specifically, NIST, a non-regulatory agency of the U.S. Department of Commerce, is looking for feedback from a whitepaper it published last week (.PDF) on a set of practices, part of a secure software development framework (SSDF) – to bevadded to a SDLC – that can be used by business owners, software developers, and cybersecurity professionals.

The goal of the document is multi-pronged; it's designed to assist stakeholders in decreasing the number of security vulnerabilities in software, lowering the cost of software development, ensuring software meets prescribed requirements, and bolster efficiency throughout the organization.

"Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of 32 vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes," the document reads.

The paper breaks the practices down into four groups: practices that help prepare the organization, protect the software, produce well-secured software, and respond to vulnerability reports.

The SSDF references a handful of existing frameworks throughout, including the latest iteration of BSIMM, the BSA Framework for Secure Software, OWASP (SCP and TEST), and NIST's own SP 800-53.

The white paper makes it easy for users to map practices to tasks, implementation examples, and correlate them with the applicable frameworks.

For example, if an organization wanted to archive and protect each software release - something that could help analyze vulnerabilities after each release - they could refer to the section on protecting software. According to NIST's documentation, orgs should securely archive copies and components - code, package files, libraries, etc. - in a repository and restrict access to them. The SSDF gives several references including a fact sheet on version control in the Institute for Defense Analyses' State-of-the-Art Resources guide. Other resources for this particular practice include BSA: PD.1-6, NISTCSF: PR.IP-4, and PCISSLRAP: 5.2, 6.2

The document, put together by Donna Dodson, Chief Cybersecurity Advisor at NIST, Murugiah Souppaya, a computer scientist at NIST, and Karen Scarfone, a principal consultant for Scarfone Cybersecurity, is comprehensive but is a draft. NIST is seeking comment on the paper through August 5, 2019

Tags: Compliance

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.