New Guide to Secure Software Development Passes on Content but Fails on Communication, Industry Official Says

Petri Oeschger/Getty Images

The lengthy document may miss its target audience altogether, one industry observer notes.

Cybersecurity recommendations a working group of federal officials and private-sector entities prepared for software developers—using a new framework from the National Institute of Standards and Technology—may be for naught, according to an industry source who says the form doesn’t fit the desired function.  

“There is some good advice throughout the document,” Gareth Rushgrove, vice president of products for the cybersecurity firm Snyk, told Nextgov. But he added, In my experience, most developers will be unlikely to read a 64-page PDF guide with two full pages of acronyms in the 24-page appendix. And for many developers outside of government—and for some inside—the overuse of the word “cyber” often marks this as not for them.”

The guide, released Thursday by the National Security Agency, in conjunction with the Cybersecurity and Infrastructure Security Agency and the Office of the Director of National Intelligence, was produced by the Enduring Security Framework, a public-private group that meets under Critical Infrastructure Partnership Advisory Council authorities.

“The developer holds a critical responsibility to the security of our software,” the press release reads. “As ESF examined the events that led up the SolarWinds attack, it was clear that investment was needed in creating a set of best practices that focused on the needs of the software developer. Securing the Software Supply Chain for Developers was created to help developers achieve security through industry and government-evaluated recommendations. This guidance consolidates valuable resources already published for developers to put to use.”

Following the “SolarWinds” event and other major hacks that used the software supply chain to compromise organizations, including several federal agencies, the Biden administration issued Executive Order 14028, which resulted in the elevation of the National Institute of Standards and Technology’s Secure Software Development Framework. Modeled after NIST’s landmark framework of cybersecurity standards, the SSDF references various standards for developers to choose from when implementing a risk-based approach to their work. 

The new guide attempts to align its recommended threat mitigations to the SSDF. But the result is not communicated with developers in mind, Rushgrove said, noting the dominant dynamic of developers (Dev) viewing themselves as separate from those working on security (Sec) and operations (Ops).

“Too often the challenge for security experts working with developers isn’t knowledge, but communication,” he said. “It’s the communication challenges (and often misaligned incentives) that lead to the “us vs them” mentality that DevSecOps tries to avoid. As noted, we believe the practice guide covers the right topics, but presenting that information in a way developers can follow—like with cheat sheets—would help it have a bigger impact on the target audience.”