Software Security Guidance Issued by NIST

The National Institute of Standards and Technology (NIST) has issued two guidance documents in compliance with the recent Biden administration executive order (EO) to enhance security of the software supply chain.

In conjunction with the Cybersecurity & Infrastructure Security Agency (CISA) and the Office of Management and Budget (OMB), NIST has outlined specific security measures for critical software use within the following five objectives:

  1. Protect EO-critical software and software platforms from unauthorized access and usage.
  2. Protect the confidentiality, integrity, and availability of data used by critical software and software platforms.
  3. Identify and maintain critical software platforms and the software deployed to those platforms to protect the software from exploitation.
  4. Quickly detect, respond to, and recover from threats and incidents involving critical software and software platforms.
  5. Strengthen the understanding and performance of humans’ actions that foster the security of critical software and software platforms.

NIST has also published recommended minimum standards on software verification (testing) in consultation with the National Security Agency (NSA). The list of recommendations includes: 

  • Threat modeling to look for design-level security issues 
  • Automated testing for consistency and to minimize human effort 
  • Static code scanning to look for top bugs 
  • Fuzzing
  • Heuristic tools to look for possible hardcoded secrets 
  • Code-based structural test cases 

NIST additionally plans to develop guidance on software testing tools as a further requirement of the executive order.