NIST Issues Guidance on Software Vulnerability Mitigation
The National Institute of Standards and Technology has issued guidance on how to reduce the risks of software vulnerabilities by adopting a secure software development framework.
NIST's white paper was created to establish a software development common language for business owners, software developers, cybersecurity professionals and others.
“Following these practices should help software producers reduce the number of vulnerabilities in released software," among other security benefits, the publication read.
The recommendations are split into four themes: preparing the organization, protecting the software, producing well-secured software and responding to vulnerabilities, MeriTalk reported.
NIST said the guidance was drafted with the assumption that individual software producers and consumers have unique security needs and requirements.
Software producers include commercial-off-the-shelf product vendors and government-off-the-shelf software developers. Consumers include both federal government agencies and other organizations.
“This white paper’s practices are not based on the assumption that all organizations have the same security objectives and priorities," NIST said.
The agency added that the guidance is only intended to serve as an introduction to the concept of a software development life cycle and is not a comprehensive guide. A software development life cycle is defined as a formal or informal methodology for designing, creating and maintaining software, such as code built into hardware.
The agency announced plans to expand the guidance to include various software development methodologies and how organizations can transition from impotent practices.
NIST established the definitions of "practice," "task," "implementation example" and "reference." The agency said that while most practices are relevant for any software development effort, some practices are not always applicable.
Organizations should consider risk as a deciding factor when deciding which factors to use and how much resources to allocate, NIST added.
Category: Future Trends