Just what we need – another “framework” to handle software security.
We have got the PCI DSS (Payment Card Industry Data Standard Security Security), BSIMM (Building Security in Maturity Model), which is Open Web Project Security Software (OWASP Steps), ISO (International Organization for Standardization), SAFECode Forum Forum Guarantee for Excellence in Code-lists takes place.
They will come back. The framework of the paper, the current white paper concept, the National Institute of Standards and Technologies (NIST), is called the SSDF, as in, “Reducing Software Risk Loss by Adoption of Secure Software Development Framework (SDF).” Jesus went public on June 11 and the comment window was open in August. 5.
The framework proposes 19 practices, organized into 4 groups:
Following the practice, the paper said, “software should help producers reduce the amount of vulnerabilities in the software that is removed, reducing the potential impact of exploitation of unfriendly or unaddressed vulnerabilities, and address the causes of counterattack preventive maintenance in the future.” User software can reuse and customize the practice of the acquisition of the device soft. ”
Suggestions, not mandates
All right. The goal is faster. Who does not want to reduce the risk of software vulnerabilities? It’s just as sound as it breaks the framework to control the speed of the vehicle in general when there are dozens of laws in books for decades designed to do the same.
Until then, what is specific in the final version will be a backup rather than a task. NIST is a federal agency, under the Department of Commerce, but is not a regulatory body and therefore does not have the influence to enforce rules.
Maybe he will eliminate the emptiness.
The purpose of this skeleton is that it looks less about reusing the wheels and more about bringing different types of wheels together in one place so that the wheel’s need to decide what needs to be done.
Indeed, the practice of demonstrating the many frameworks listed above shows that this is the best practice tool.
As one of the co-authors, Murugiah Souppaya, of the computer security of Information Technology Laboratory (in NIST), puts it “an easy newspaper of communication on safe practices among groups in the business sector around the world by providing a common practice of a practice specific industry sectors already existed. ”
He added that the “general language” is meant to help them clarify their current practice. “This will allow them to apply their desired lines and identify improvements,” he said.
There is, of course, no framework that has changed the security of the software until now. There are daily reports of offenses that can be turned on with the weaknesses of sometimes-consuming software or controlled software.
So, even if this is the least, if the organization is not sure of investing time and money to do the referral, it is not possible to generate extra though, no matter what the transformation, add security software.
Take it long
Is it a chance to break that first? Not too short – in the Sammy Migues sense.Miguel, lead scientist at Synopsys and co-author of BSIMM, says this does not mean that the proposed framework has no potential value. “Yes, after that will help,” he said. “But who will follow her? Only the man who has been given the task, and only if he has been judged.”
And a small amount. Migrants say that NIST “does not make a fundamental principle or is it an arrangement of innovation for Cheers and awareness, so if there is an organization that has the power to keep people, it is trustworthy that it will follow,” he said.
The marketplace – both public and private – can move some leverage, say, that the entity puts a job to make a security framework like this part of an RFP (a proposal for a proposal). “Mere