In response to the Biden administrationâs cybersecurity executive order, the National Institute of Standards and Technology has posted two new pieces of guidance. âSecurity Measures for âEO-Critical Softwareâ Useâ outlines security measures for critical software use, such as applying practices of least privilege, network segmentation and proper configuration. âRecommended Minimum Standards for Vendor or Developer Verification (Testing) of Software Under Executive Order (EO) 14028âÂ discusses the minimum standards for vendors or developers should use to verify their software.Â
The security measures guidance, developed in consultation with the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget and the cybersecurity community, addresses the five protection objectives for federal agencies laid out in the cyber EO:
- Protect critical software and platforms from unauthorized access and usage.
- Protect the confidentiality, integrity and availability data used.
- Identify and maintain critical software.
- Quickly detect, respond to and recover from threats.
- Improve usersâ understanding of their cybersecurity responsibilities.
The NIST guidance lists a number of security measures for each objective and maps those measures to relevant federal publications and projects.
By defining a set of common security objectives and measures for protecting EO-critical software use, the guidance is designed to give agencies a common framework.
NIST calls the guidance âfundamentalâ and says the security measures âare not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs.â Meanwhile, agencies should keep working to secure their systems and supply chains and implement zero trust practices.
For its guidance on vendorsâ source code testing, NIST worked with the security community and the National Security Agency toÂ develop recommended minimum testing standards and high-level directions on how to work those standards into a robust testing program and development process.Â
NIST describes software testing and verification as âa mental disciplineâ required to increase software quality. Developers must frequently and thoroughly test and verify their software at every stage of development life cycle. This document recommends 11 software verification techniques:
- Threat modeling to look for design-level security issues and focus verification efforts.
- Automated testing for accuracy, consistency and reducing manual work.
- Static code scanning to look for top bugs and vulnerabilities and ensure the code complies with the organizationâs coding standards.
- Heuristic tools to look for possible hardcoded passwords and private encryption keys.
- Take advantage of softwareâs built-in checks and protections.
- âBlack boxâ test cases that ensure code meets functional specifications or requirements outside a specific implementation.
- Code-based structural test cases based on the implementation.
- Historical test cases to be sure software will still run securely after a change.
- Fuzzing to test an immense number of inputs with minimal human supervision.
- Web app scanners, if applicable, to detect vulnerabilities in web applications.
- Identify the libraries, packages and services the software uses so they can be checked against known vulnerability databases.
The guidance also describes good development practices and includes information on software installation and operation as well as advances in software verification technology.
Because no single software security verification standard can be used for all types of software, NIST intends this guidance to describe minimum standards that will help software producers create their own verification processes.