NIST Introduces Framework for Secure Software Development

NIST Cybersecurity recently published a whitepaper outlining software development practices, known collectively as a secure software development framework (SSDF), that can be implemented into the software development lifecycle (SDLC) to better secure applications. The outlined practices are based on pre-established standards and guidelines as well as software development practice documents.

NIST Cybersecurity states that, if properly implemented, the SSDF practices should, “help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences.”

Some of the key tasks outlined in the framework include:

Provide secure code training

Most developers aren’t formally trained in writing secure code. If you take the time to train developers, and any other individuals with responsibilities that contribute to secure development, they’ll be able to write secure code from the start. If code is secure from the start of the development phase, it eliminates rework and speeds the time to deployment.

To ensure successful training on secure code practices, tailor the training to specific roles, document the desired outcomes, and review the training plans periodically.

Automate and integrate security tests

By leveraging automatic testing methods instead of using a manual process, you can improve consistency, accuracy, and comprehensiveness. For human-readable code, like source code, NIST Cybersecurity recommends using a “static analysis tool to automatically check code for vulnerabilities and for compliance with the organization’s secure coding standards.” The static analysis tool should be used to, “remediate documented and verified unsafe software practices on a continuous basis as human-readable code is checked into the code repository.”

For executable code – binaries, directly executed bytecode, and directly executed source code – NIST Cybersecurity recommends integrating “dynamic vulnerability testing into the project’s automated test suite.” And, if resources are available, “incorporate penetration testing to simulate how an attacker might attempt to compromise the software in high-risk scenarios.”

Once you’ve selected your application security tests, they should be integrated into the developers existing workflows and processes. NIST suggests “configuring the toolchain to perform automated code analysis and testing on a regular basis.” And, since the tests will produce a long list of vulnerabilities and flaws, you need to put a process in place to assess, prioritize, and remediate the flaws. The longer you wait to remediate flaws, the longer cyberattackers have to exploit the application.

Use open source code securely

Open source code, and all other third-party code, is still susceptible to vulnerabilities and flaws. Start by seeing if there are any publicly known flaws in the software modules that the vendor failed to fix. Then check to see if the module is being actively maintained for new vulnerabilities. If it isn’t being actively maintained, determine a plan of action for how you are going to test the code, and “use the results from commercial services for vetting the modules and services.”

To learn more, download the NIST Cybersecurity whitepaper, Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF). Or, to find out how Veracode can help you address the practices identified in the whitepaper, visit our product page.