Guidelines on Minimum Standards for Developer Verification of Software

TL;DR

This paper outlines eleven recommended minimum standards for software verification techniques to enhance cybersecurity, including threat modeling, automated testing, static analysis, fuzzing, and web app scanning, developed by NIST and NSA.

Contribution

It provides a standardized set of broadly applicable software verification techniques as minimum cybersecurity standards, based on expert consultation.

Findings

11 recommended verification techniques for software security

Guidelines developed by NIST and NSA with industry input

Focus on minimum standards for broad applicability

Abstract

Executive Order (EO) 14028, "Improving the Nation's Cybersecurity", 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven recommendations for software verification techniques as well as providing supplemental information about the techniques and references for further information. It recommends the following techniques: Threat modeling to look for design-level security issues Automated testing for consistency and to minimize human effort Static code scanning to look for top bugs Heuristic tools to look for possible hardcoded secrets Use of built-in checks and protections "Black box" test cases Code-based structural test cases Historical test cases Fuzzing Web app scanners, if applicable Address included code (libraries, packages, services) The document does not address the totality of software verification, but instead, recommends techniques that are broadly applicable and form the minimum standards. The document was developed by NIST in consultation with the National Security Agency (NSA). Additionally, we received input from numerous outside organizations through papers submitted to a NIST workshop on the Executive Order held in early June 2021, discussion at the workshop, as well as follow up with several of the submitters.