NIST Introduces Secure Software Development Framework

NIST Cybersecurity recently published a technical document describing software development practices known as the Secure Software Development Environment (SSDF) that can be implemented in the Software Development Life Cycle (SDLC) to improve application security. The practices described are based on pre-defined standards and guidelines and practice documents for software development.

NIST Cybersecurity states that SSDF practices, if properly implemented, should help software publishers reduce the number of vulnerabilities in published software, limit the potential impact of exploiting undiscovered or unresolved vulnerabilities, and address the underlying causes of vulnerabilities to prevent recurrence in the future.

The main objectives described in this framework are the following

Security code training

Most developers are not formally trained to write secure code. If you spend time training the developers, as well as all the other people responsible for safe development, they will be able to write safe code from the beginning. Protecting the code from the start of development eliminates rework and accelerates implementation time.

To ensure that the safe use of the code is successfully taught, learning should be tailored to specific roles, desired outcomes should be documented, and the curriculum should be regularly reviewed.

Automation and integration of safety tests

By using automated testing methods instead of a manual process, you can improve consistency, accuracy and completeness. For both human code and source code, NIST Cybersecurity recommends the use of a static analysis tool to automatically check for code vulnerabilities and compliance with the organization’s secure coding standards. A static analysis tool should be used to continuously correct documented and verified insecure program practices while checking human-readable code in the code archive.

For the executable code? ?????? Directly Executable Binary Files and Directly Executable Source Code NIST Cybersecurity recommends integrating dynamic vulnerability testing into a set of automated project tests. And, if resources are available, include penetration tests to simulate how an attacker might try to compromise software in high-risk scenarios.

Once you have selected the security tests for your application, they need to be integrated into existing workflows and development processes. NIST proposes to set up a tool chain to perform automated code analysis and testing on a regular basis. And since testing will provide a long list of vulnerabilities and weaknesses, it is necessary to start the process of assessing, prioritizing and fixing bugs. The longer one waits to correct defects, the more cyber attacks need to be exploited.

Safe use of Open Source

Open source code, like all other third-party code, always has vulnerabilities and flaws. Start by looking for known errors in the software modules that the manufacturer has not been able to correct. Then check if the module is actively supported for new vulnerabilities. If it is not actively supported, define an action plan on how you want to test the code and use the results of the commercial services to test the modules and services.


For more information, see NIST Cybersecurity, Mitigating the Risk of Software Vulnerabilities by Adoption a Secure Software Development Framework (SSDF). Or to find out how Veracode can help you solve the problems mentioned in the technical description, please visit our product page.

*** This is a syndicated network of security bloggers from the Application Security Research, News, Education Blog, sponsored by [email protected] (hgoslin). The original message can be found at the following address: secure software development framework (ssdf),secure software development pdf,secure software development best practices,secure software development life cycle,sdlc vulnerabilities,mitigating software vulnerabilities,sdlc white paper,security engineering framework

You May Also Like