The May 12th Executive Order on Improving the Nation’s Cybersecurity directed our friends at NIST to publish guidelines on vendors’ source code testing. As a result NIST recently published Guidelines on Minimum Standards for Developer Verification of Software. An excellent resource for organizations that develop software in-house, it is also useful for organizations that want to practice due care when evaluating the security practices of potential software vendors.
“No single software security verification standard can encompass all types of software and be both specific and prescriptive while supporting efficient and effective verification. Thus, this document recommends guidelines for software producers to use in creating their own processes. To be most effective, the process must be very specific and tailored to the software products, technology (e.g., language and platform), toolchain, and development lifecycle model.” — Guidelines on Minimum Standards for Developer Verification of Software