A new consortium devoted to secure software development and led by the National Institute of Standards and Technology (NIST) has released its draft guide for public comment that responds to instructions in a cybersecurity order from the White House earlier this summer.
NIST’s Software Supply Chain and DevOps Security Practices Consortium includes 14 organizations led by the National Cybersecurity Center of Excellence (NCCoE) and aims to “improve security at all stages of the software development life cycle.”
The consortium builds on an order signed by President Donald Trump in early June that directed NIST to develop guidelines demonstrating best practices from the agency’s Secure Software Development Framework (SSDF).
“To support the creation of software that is secure against cyber breaches and free of malicious code, … [NIST] is working with industry partners through a consortium focused on improving software security,” said the agency on July 31.
A preliminary draft of those guidelines was released along with the consortium’s announcement, and includes a “high-level overview of the project.” The draft is open for public comment until Sept. 12.
The guidelines are meant to “complement the SSDF by offering specific examples” of how to “create a secure development environment that fits the organization’s objectives,” according to NIST, and aims to lead “to consistently trustworthy and quicker software development.”
“The draft guidelines we are developing will show how organizations can use commercial, off-the-shelf technologies and AI capabilities and apply zero trust principles and methodologies to create an efficient and secure development environment for producing fast and more reliable software,” said Alper Kerman, one of the publication’s authors from NCCoE.
“You have to have an environment to write code in, where the whole team of developers can access it and update the code in an agile fashion,” Kerman explained, saying that guidelines can allow software development collaborations while keeping unauthorized users out.
“But when you are writing code, a team member might bring in code libraries from other parties, for example. We will outline best practices for minimizing the likelihood that vulnerabilities might creep in as a result, such as effective ways to scan the code for trouble spots,” Kerman continued.
The agency said it also plans to release additional draft guidance in the future which will include additional public comment periods.