The draft framework is intended to both instruct developers on building safe tech and help IT buyers, like the government, know which companies they can trust.
Cyber experts often warn there’s no such thing as completely secure tech, but the National Institute of Standards and Technology is trying to help software developers and IT buyers get as close as possible.
On Tuesday, NIST released a draft set of guidelines that technologists should follow to ensure security is baked into every step of the software development lifecycle. The framework is intended to benefit both the people creating the tech and the organizations that buy it, such as the federal government.
The draft framework comes as federal cyber leaders explore more robust strategies for locking down the government’s software supply chain against potential threats.
The document divides the secure development process into four different categories—preparing the organization, protecting the software, producing well-secured software and responding to vulnerability reports—and offers specific instructions to help ensure each of the goals are met. Ultimately, federal agencies and other consumers could use the framework to determine which tech vendors they can trust.
“Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences,” NIST wrote in the framework. “Software consumers can reuse and adapt the practices in their software acquisition processes.”
The framework provides a wide array of management, planning and security policies meant to safeguard different steps of the development process, as well as best practices for preventing developers from unknowingly building weaknesses into their code.
NIST also explicitly called for developers to create a software bill of materials—a list of the various components that underlie a particular system—for every application they build, which could help users quickly patch vulnerabilities as they’re disclosed.
The public can submit feedback on the guidance through Aug. 5.