Content Assessment: Recommendations for Mitigating the Risk of Software Vulnerabilities: NIST Secure Software Development Framework
Information - 90%
Insight - 90%
Relevance - 90%
Objectivity - 85%
Authority - 95%
A short percentage-based assessment of the qualitative benefit of the newly published draft publication from NIST on mitigating the risk of software vulnerabilities.
Editor’s Note: The Information Technology Laboratory (ITL) at NIST promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and its collaborative activities with industry, government, and academic organizations.
Announcement and Draft Publication*
Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities
This document will replace the NIST Cybersecurity White Paper released in April 2020 which defined the original Secure Software Development Framework (SSDF), and it includes a change log summarizing the major changes from the April 2020 version. NIST used inputs from the public and its June 2021 workshop to shape SSDF version 1.1 in support of NIST’s responsibilities under Executive Order (EO) 14028. The new SSDF draft also includes mappings from EO 14028 clauses to the SSDF practices and tasks that help address each clause.
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure that the software being developed is well-secured. This document recommends the Secure Software Development Framework (SSDF) – a core set of high-level secure software development practices that can be integrated into each SDLC implementation. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Because the framework provides a common vocabulary for secure software development, software purchasers and consumers can also use it to foster communications with suppliers in acquisition processes and other management activities.
- SOARing Costs? Considering Data Breach Economics
- Defining Cyber Discovery? A Definition and Framework