NIST Wants Comments on Secure Software Development


The US National Institutes of Standards and Technology recently asked for comments on a new framework for secure software development. Called Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) this framework seeks to aid developers by providing a somewhat universal framework for secure software development. What this framework doesn't do is provide explicit rules. Instead - as the name makes clear - it is a framework or guide.

The Framework is a short 19 pages, many of which are definitions, references and so forth. That's good because that makes the document readable and understandable and users will not get bogged down in a morass of guidelines.


Unlike some other NIST documents, this one is designed for a broad audience:

There are two primary audiences for this white paper. The first is software producers (e.g., commercial-off-the-shelf [COTS] product vendors, government-off-the-shelf [GOTS] software developers, custom software developers) regardless of size, sector, or level of maturity. The second is software consumers, both federal government agencies and other organizations. Readers of this document are not expected to be experts in secure software development in order to understand it, but such expertise is required to implement its recommended practices.

Structure Of The Framework

The Framework is divided into four groups:

    • Prepare the Organization (PO): Ensure the organization's people, processes, and technology are prepared to perform secure software development.

    • Protect the Software (PS): Protect all components of the software from tampering and unauthorized access.

    • Produce Well-Secured Software (PW): Produce well-secured software that has minimal security vulnerabilities in its releases.

    • Respond to Vulnerability Reports (RV): Identify vulnerabilities in software releases and respond appropriately to address those vulnerabilities and prevent similar vulnerabilities from occurring in the future.

The actual items in the whitepaper look like this:

illustration of whitepaper tables

(SSDF is "Secure Software Development Framework" and SDLC is "Software Development Life Cycle")

There are two Tasks Associated with this particular Practice, so you can refer to them individually in a document or discussion. The wording is straightforward and not tangled in legalese. The copious list of referenced documents is listed in the Framework so readers can get a more detailed description of the Task. The suggestions in the Implementation Examples column show how an organization might implement a particular Task.

Benefits Of A Framework

Actually having a workable framework will provide organizations - both civilian and government - with a starting point for developing secure software. After reading the document, it will be clear that this is not a "how-to" for individual programmers, but rather a guide for creating the proper environment for secure development.

Two years ago I wrote on this blog about NIST's suggestions for reducing software vulnerabilities. This Framework document is a continuation of their effort to make software more secure (and there are other steps they have outlined, too). I applaud this effort. Preventing software vulnerabilities is hard. Individual pieces of software such as an operating system, language compiler, or a comprehensive web server are quite complex. The news is full of reports of breaches and other software failures. The more we can do, the better.

The comment period for this document expires on August 8th, and you may be reading this after that. That's alright: the point is that the effort is ongoing and will hopefully lead to more secure software.

To your safe computing,
John McDermott

Written by John McDermott

John McDermott, CPLP, started his work in computer security in 1981 when he caught an intruder in a system he was managing. In recent years his consulting has included security consulting for small businesses. He is Security+ and CCP certified. In his 30 years with Learning Tree John has written and taught courses in programming, networking and computer security. He is the co-author of Learning Tree’s course System and Network Security: A Comprehensive Introduction. John is currently a learning and development consultant in northern New Mexico. He lives in a house made of earth with his wife, who is an artist.