Developing Software with Security in Mind: NIST White Paper Recommends Secure Software Development Framework

Morgan Lewis
Contact

Morgan Lewis

The National Institute of Standards and Technology (NIST) recently circulated a draft white paper discussing recommended security practices to be adopted throughout the various phases of software development. The white paper provides three overarching reasons for integrating secure development practices throughout the software development lifecycle (SDLC) regardless of the development model (e.g., waterfall, agile), namely, “to reduce the number of vulnerabilities in released software, to mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and to address the root causes of vulnerabilities to prevent future recurrences.”

The white paper discusses the following four secure software development practices, and breaks down each topic by (1) practices, (2) tasks, (3) implementation examples, and (4) references.

Prepare the Organization

In order to prepare an organization for possible security incidents, the white paper recommends that policies should be reviewed both on a regular basis and following a security incident, and should be modified based on the latest updates in secure development practices. According to the white paper, the organization may also need to create new roles relating to secure software development, as well as alter existing roles to ensure that security responsibilities are met throughout the entire SDLC.

Protect the Software

Software protection encompasses not only intentional security incidents but also unintentional security incidents. The white paper suggests using the principle of least privilege, which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work, in order to minimize potential harm to software. Security considerations do not end once software is distributed to consumers, and the white paper recommends that the organization offer a way for consumers to verify that the software is legitimate.

Produce Well-Secured Software

Well-secured software requires careful forethought and threat analysis in order to build strong defenses against potential security incidents. The white paper recommends using threat and attack modeling, which can help identify weak points in the software to be adjusted before it becomes available for use. The white paper also proposes that third-party software be vetted in the context of its expected use.

Respond to Vulnerability Reports

Responding to vulnerability reports is a crucial aspect of secure development software, as it allows an organization the opportunity to minimize a future security incident. The white paper suggests that organizations analyze the information provided in vulnerability reports to identify patterns and the potential impact of different vulnerabilities.

For lawyers and sourcing professionals, the NIST white paper can serve as a valuable checklist of key scope and performance obligations when developing software—it is a must read!

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Contact
more
less

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.