The National Institute of Standard and technology published a new Cybersecurity White Paper: Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF) recommending a core set of high-level secure software development practices — called a secure software development framework (SSDF) — to be added to each software development life cycle (SDLC) implementation.
The paper aims to provide guidance and promote communications about secure software development practices among business owners, software developers, and cybersecurity professionals within an organization, NIST officials said in a release. Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. Software consumers can reuse and adapt the practices in their software acquisition processes, NIST said.
Few software development life cycle (SDLC) models explicitly address software security in detail, so secure software development practices usually need to be added to each SDLC model to ensure the software being developed is secured according to standards. This white paper recommends a core set of high-level secure software development practices called a secure software development framework (SSDF) for integration within each SDLC implementation.
Additionally, because the framework provides a common vocabulary for secure software development, software consumers can use it to foster communications with suppliers in acquisition processes and other management activities.
Publication: White Paper (DOI)
Supplemental Material: Local Download (pdf)
06/11/19: White Paper (Draft)
04/23/20: White Paper (Final)