The National Institute of Standards and Technology (NIST) released a white paper on how to mitigate the risks of software vulnerabilities through adopting a Secure Software Development Framework (SSDF).
“Following these practices should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences,” the white paper said. “Software consumers can reuse and adapt the practices in their software acquisition processes.”
The NIST white paper is intended to provide a common language for business owners, software developers, cybersecurity professionals, and others in describing fundamental secure software development practices. Additionally, it’s stated intent is to focus on the practices of implementing SSDF, rather than tools and techniques because they might be different from organization to organization.
“For example, one organization might automate a particular step, while another might use manual processes instead,” the white paper said.
The practices for SSDF are broken down into four groups within the white paper, including:
- Prepare the organization;
- Protect the software;
- Produce well-secured software; and
- Respond to vulnerabilities.
“This white paper’s practices are not based on the assumption that all organizations have the same security objectives and priorities; rather, the recommendations reflect that each software producer may have unique security assumptions, and each software consumer may have unique security needs and requirements,” it said.