Once seen as only tangential to cybersecurity planning, software security has recently emerged as a top priority for policymakers, businesses, and users around the world. As our collective understanding of cybersecurity has grown, we have come to recognize the central role secure design and development plays in protecting the software that powers our world. Unfortunately, software security discussions have long been hampered by inconsistent terminology, lack of clarity around best practices, and a sense that only the most technically inclined could ever really make sense of the process. A new software development framework from NIST is poised to change all that.
Much like it did with its Cybersecurity Framework, NIST has brought together what we have learned about software security over the past two decades and created a secure software development framework (SSDF) that can get us all talking from the same playbook. The framework builds on SAFECode’s publications on secure development best practices, the BSA Framework for Secure Software, and other industry contributions to deliver a core set of high-level secure software development practices that help ensure that software is secure by design. Software producers who follow these practices can reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to achieve continuous improvement of software security. Software consumers can use the framework to confidently build their security requirements and apply them as applicable to their software acquisition processes.
Please register here to join BSA and SAFECode along with government and industry panelists in a virtual roundtable discussion on Tuesday, June 23 from 11 a.m. to 1 p.m. to learn about the SSDF and hear about its practical applications for product developers, public and private sector customers, and the future of product certifications and labeling.
AgendaSlides from this session can be found here. 11:00 - 11:05 a.m. Welcome remarks Kevin Stine, NIST 11:05 - 11:20 a.m. Introduction and overview of the NIST Secure Software Development Framework Karen Scarfone, NIST Associate 11:20 - 11:30 a.m. BSA’s perspective Tommy Ross, BSA 11:30 - 11:40 a.m. SAFECode’s perspective Steve Lipner, SAFECode 11:40 - 11:55 a.m. Q&As BSA/NIST/SAFECode Tommy Ross, Karen Scarfone, Kevin Stine, and Steve Lipner 12:05 - 12:45 p.m. Perspectives on Applying the SSDF
- Guiding Product Development: Valecia Maclin, Microsoft
- Supporting private sector software acquisition: John Banghart, Venable
- Improving government acquisition: Melinda Reed, DoD
- Shaping interoperability, synergies, and evaluation: Prokopios Drogkaris and Apostolos Malatras, ENISA