By Steve Lipner, SAFECode Executive Director

Last week, the National Institute for Standards and Technology (NIST) published a white paper entitled “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF).” The paper provides guidance to organizations that seek to adapt their software development processes to deliver more secure software. SAFECode, along with BSA – The Software Alliance, has collaborated with NIST since planning for the paper began more than two years ago. SAFECode co-led a working discussion of software security with NIST at the RSA Conference in 2018, reviewed several drafts, and participated with NIST and BSA in a session to discuss the paper at this year’s RSA Conference. NIST has done an excellent job bringing together what we’ve learned about software security over the past two decades. The resulting white paper reinforces that secure software is a result of a holistic software security process and offers guidance as to what constitutes an effective process, incorporating recommendations from SAFECode, BSA, OWASP, and others. We believe NIST’s work has the potential to significantly impact the way that developers and customers think about, and act upon, their software security needs. Further, the NIST SSDF is likely to influence the approach of U.S. government agencies for developing, acquiring, and assessing software security. It is our hope that like the NIST Cybersecurity Framework, it will find broad adoption in the private sector and by other governments worldwide.

SAFECode encourages anyone interested in software security to read the white paper. We expect that there will be a lot of follow-up activities as organizations around the world consider adopting the SSDF model and tailoring it to their needs. SAFECode is looking forward to participating, sharing our views, and hearing your feedback.