In response to the Biden administration’s cybersecurity executive order, the National Institute of Standards and Technology has posted two new pieces of guidance. “Security Measures for ‘EO-Critical Software’ Use” outlines security measures for critical software use, such as applying practices of least privilege, network segmentation and proper configuration. “Recommended Minimum Standards for Vendor or Developer Verification (Testing) of Software Under Executive Order (EO) 14028” discusses the minimum standards for vendors or developers should use to verify their software.
The security measures guidance, developed in consultation with the Cybersecurity and Infrastructure Security Agency, the Office of Management and Budget and the cybersecurity community, addresses the five protection objectives for federal agencies laid out in the cyber EO:
- Protect critical software and platforms from unauthorized access and usage.
- Protect the confidentiality, integrity and availability data used.
- Identify and maintain critical software.
- Quickly detect, respond to and recover from threats.
- Improve users’ understanding of their cybersecurity responsibilities.
The NIST guidance lists a number of security measures for each objective and maps those measures to relevant federal publications and projects.
By defining a set of common security objectives and measures for protecting EO-critical software use, the guidance is designed to give agencies a common framework.
NIST calls the guidance “fundamental” and says the security measures “are not intended to be comprehensive, nor are they intended to eliminate the need for other security measures that federal agencies implement as part of their existing requirements and cybersecurity programs.” Meanwhile, agencies should keep working to secure their systems and supply chains and implement zero trust practices.
For its guidance on vendors’ source code testing, NIST worked with the security community and the National Security Agency to develop recommended minimum testing standards and high-level directions on how to work those standards into a robust testing program and development process.
NIST describes software testing and verification as “a mental discipline” required to increase software quality. Developers must frequently and thoroughly test and verify their software at every stage of development life cycle. This document recommends 11 software verification techniques:
- Threat modeling to look for design-level security issues and focus verification efforts.
- Automated testing for accuracy, consistency and reducing manual work.
- Static code scanning to look for top bugs and vulnerabilities and ensure the code complies with the organization’s coding standards.
- Heuristic tools to look for possible hardcoded passwords and private encryption keys.
- Take advantage of software’s built-in checks and protections.
- “Black box” test cases that ensure code meets functional specifications or requirements outside a specific implementation.
- Code-based structural test cases based on the implementation.
- Historical test cases to be sure software will still run securely after a change.
- Fuzzing to test an immense number of inputs with minimal human supervision.
- Web app scanners, if applicable, to detect vulnerabilities in web applications.
- Identify the libraries, packages and services the software uses so they can be checked against known vulnerability databases.
The guidance also describes good development practices and includes information on software installation and operation as well as advances in software verification technology.
Because no single software security verification standard can be used for all types of software, NIST intends this guidance to describe minimum standards that will help software producers create their own verification processes.