August 5, 2022

Last Updated on January 19, 2024

Section 4 of Executive Order 14028, “Improving the Nation’s Cybersecurity,” seeks to elevate the security of software purchased by the government. In response to a directive in the order, the National Institute of Standards and Technology (NIST) created the special publication NIST 800-218, the Secure Software Development Framework (SSDF) version 1.1.

The SSDF provides “recommendations for mitigating the risk of software vulnerabilities” across the software development lifecycle (SDLC). But with other established software security standards out there, such as OWASP SAMM and the Building Security in Maturity Model (BSIMM), why was it so important to create yet another framework? How is the SSDF meant to benefit the US government’s software supply chain?

To discuss the importance of the SSDF and how to get maximum benefit from it, a recent episode of The Virtual CISO Podcast features Elzar Camper, Pivot Point Security’s Director of Cyber Security Solutions & Practices. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show as usual.

Ensuring security of critical software

The “cyber executive order” from May 2021 has a lot to say (primarily in section 4) about enhancing security within the government’s software supply chain. How can government agencies be assured that the software they’re buying is secure—especially “critical software” where vulnerabilities introduce the most risk to the nation’s infrastructure, economy, and military?

“What does critical software mean?” poses Elzar. “What’s defined as critical software? That means different things to different people. NIST was nice enough to give us 11 categories of critical software because they’re very forward-leaning.”

NIST recommends that identification of critical systems should start with standalone and on-premises software and then shift to the cloud. Categories of critical software include things like identity and access management, operating systems, hypervisors, containers, (Dockers, Kubernetes), etc.

Securing the security tools

Web browsers and endpoint solutions (EDR/XDR) can also be critical software, as are network protocols, firewalls, intrusion protection, operational logging/monitoring tools like SIM/SIEM, and so forth.

“So, the basics—the normal ecosystem of an organization, the big pieces of it, things that can touch or process critical data, things that might give somebody elevated privileges or access, are really how they define critical software,” summarizes Elzar.

“It’s making sure that the tools we rely on to be secure are actually secure themselves,” John reframes. “[This is] where we know the government will explicitly say, ‘We expect this stuff to have gone through the SSDF.”

What’s next?

To catch the full episode on the NIST SSDF with Elzar Camper, click here.

Wondering how to get your secure software program underway? We hope you’ll find this post helpful: 4 First Steps to Jumpstart Secure Web App Development

Free OWASP ASVS Testing Guide

If you are just learning about OWASP’s testing standard or are considering the best way to prove the security of an application, this guide is meant for you!