In February, the National Institute of Standards and Technology released guidelines for secure software development, meeting a deadline established by President Biden’s May Executive Order on Improving the Nation’s Cybersecurity.
The new guidelines, embodied in NIST publication SP 800-218, outline the obligations that producers of commercial off-the-shelf (COTS) and government off-the-shelf (GOTS) software have if they are licensing software or services to federal agencies.
The guidance includes things like following secure software development practices; collecting, maintaining, and sharing provenance data for all software components; and tracking software dependencies. Software producers are also urged to check their code for backdoors and other malicious content - a clear reference to the now infamous compromise of SolarWinds, which affected a number of sensitive Federal agencies. (For more on SolarWinds, read our blog post: "Sunburst: the next level of stealth")
What does NIST’s new Secure Software Development Framework (SSDF) mean for software firms and their customers? And how can companies begin to wrap their arms around the new guidelines from Uncle Sam?
To get answers to those questions and others, we sat down with Tomislav Peričin, the Chief Software Architect at ReversingLabs for a chat. In this video chat, recorded just after the NIST guidance was published, Tomislav and host Paul Roberts dig into the details of the new NIST framework. They also talk about emerging federal requirements for software producers to maintain so-called Software Bills of Materials (SBOMs) that provide an ingredient list for software and services used in federal agencies.
Check out their conversation below!
Software Assurance | March 9, 2022