NIST Asks for Input on Building Secure Software

Andrey Suslov/Shutterstock.com

Featured eBooks
Customer Experience
Read Now

Identity in Government

Read Now

Health Tech

Read Now
Insights & Reports
Know Your Business: Protecting Service Organizations from Non-Compliance Risks and Financial Threats
Presented By Melissa Data
Download Now
Executive Guide - Connectivity Cloud, Explained
Presented By Cloudflare
Download Now
Jack Corrigan By Jack Corrigan,
Staff Correspondent

By Jack Corrigan

|

The draft framework is intended to both instruct developers on building safe tech and help IT buyers, like the government, know which companies they can trust.

Cyber experts often warn there’s no such thing as completely secure tech, but the National Institute of Standards and Technology is trying to help software developers and IT buyers get as close as possible.

On Tuesday, NIST released a draft set of guidelines that technologists should follow to ensure security is baked into every step of the software development lifecycle. The framework is intended to benefit both the people creating the tech and the organizations that buy it, such as the federal government.

The draft framework comes as federal cyber leaders explore more robust strategies for locking down the government’s software supply chain against potential threats.

The document divides the secure development process into four different categories—preparing the organization, protecting the software, producing well-secured software and responding to vulnerability reports—and offers specific instructions to help ensure each of the goals are met. Ultimately, federal agencies and other consumers could use the framework to determine which tech vendors they can trust.

“Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences,” NIST wrote in the framework. “Software consumers can reuse and adapt the practices in their software acquisition processes.”

The framework provides a wide array of management, planning and security policies meant to safeguard different steps of the development process, as well as best practices for preventing developers from unknowingly building weaknesses into their code.

NIST also explicitly called for developers to create a software bill of materials—a list of the various components that underlie a particular system—for every application they build, which could help users quickly patch vulnerabilities as they’re disclosed.

The public can submit feedback on the guidance through Aug. 5.

NEXT STORY: Senators Want to Know If CMS Paid China-Linked Companies for Genetic Testing