Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/17/2018
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NIST Seeking Comments on New AppSec Practices Standards

Working in conjunction with SAFECode, NIST is opening the floor to suggestions at RSA about secure software development life cycle guidelines.

RSA CONFERENCE 2018 – San Francisco – The standards keepers at the National Institute of Standards and Technology (NIST) are turning their eyes to the world of application security. Working together with the nonprofit secure development coalition SAFECode, NIST has revved up its engines to work on a new special publication titled the Guide to Secure Software Development Life Cycle (SSDLC) Practices: A Producer and Consumer Perspective. The title might be a mouthful, but its purpose is fairly simple: to set the bar on what it means to securely develop software.

The guide is a work in progress with a still uncertain publication date, but NIST and SAFECode have made enough early conceptual headway that they're comfortable turning to the security community to help them flesh out ideas for the standards. That public opinion gathering will commence Wednesday at RSA Conference in the form of a public working group session at the InterContinental Hotel at 4:30. In the run-up to this kickoff workshop, Dark Reading caught up with Steve Lipner, SAFECode's executive director, to discuss the work his organization is doing to spearhead the publication and what he hopes its dissemination will do for application security industry-wide.

 

Dark Reading: Can you tell us a little about the genesis of this project and your collaboration with NIST?

Steve Lipner: One of the things we at SAFECode have been doing for probably more than 10 years is publishing best practices and recommended approaches for secure development, basically getting the developers to build secure software rather than trying to test it in after the fact.

There's been a lot pickup of those sort of processes in the industry at large. But government guidance has been really silent on secure development practices up to today. And so we've been talking with NIST management for some time about producing a special publication on that topic. 

After a lot of conversation, NIST has stepped up and they've done a lot of work internally, thinking about the issues and getting prepared. I think they're a while away from issuing something, but they're at the point where they've thought about it enough that they want to get public input.

 

Dark Reading: Once this publication does get issued, what do you hope its existence will actually do for the industry?

Steve Lipner: So, I think there are three things. Number one, it'll provide another element of guidance for developers. There's SAFECode guidance out there, and there's other guidance out there that rules by simple numbers, but I think some organizations will look to this guidance and say, "That's something we're especially willing to rely on."

I think it will provide a vehicle for customers to ask for secure development in an authoritative way. That will incentivize more developers to step up and start to adopt secure development processes, because they're going to be faced with these, hopefully, realistic and well-aligned requirements that will move them that way.

And then the third thing is specifically for government procurements, which is a small subset, but it's important. I think it will give government program offices, government system integrators, a tool to understand what best practices are and to integrate some of those things into the way they build software for the government.

 

Dark Reading: Obviously, with your presence here at RSA to stage this working group, SAFECode and NIST are reaching out to the security community, but can we also expect similar input-gathering from the development tribe that's most likely to be impacted by these standards? 

Steve Lipner: SAFECode members and other commercial organizations that have secure development processes involve their developer communities (in developing these standards). So, I'm hoping that the bridge will get crossed by the impetus of the commercial players who see this being done and that they'll make sure that their development organizations are on board. You can't really do a secure development life cycle or create a security development life cycle process without having your developers bought in.

 

Dark Reading: In that same vein, will NIST be working to tie in a lot of the new development practices and standards that are cropping up as IT shops move to DevOps software delivery methodologies?

Steve Lipner: When we started building software security processes (at SAFECode), that was consistent with a two- or three-year development life cycle. But in my experience, just a year or two after we created our initial development process, we had to say, "Okay, how do you apply this process to Agile (and DevOps)? 

And so we started to think about "What does that mean?" and "How do we adapt?" The answer is that secure code is still secure code, but you have to have different ways of parsing the tools, testing the delivery, [and knowing] where the feedback loop goes. Just because you're doing DevOps or just because you're doing Agile doesn't mean you can't do secure development, if you decide that secure development is important. [We'll be] getting that reflected in a NIST special publication that is specific enough so that customers can tell whether developers have done it. But it will also be general enough so that there is flexibility for other processes and different tools. 

There are going to be challenges in getting the document right, but I don't believe it's an impossible task, by any means.

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.