Guidelines on Minimum Standards for Developer Verification of Software
This provides incremental guidelines for software developers to enhance security verification, addressing a specific regulatory need in cybersecurity.
The document outlines eleven recommended software verification techniques, such as threat modeling and automated testing, to establish minimum standards for software testing as directed by Executive Order 14028, aiming to improve cybersecurity.
Executive Order (EO) 14028, "Improving the Nation's Cybersecurity", 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven recommendations for software verification techniques as well as providing supplemental information about the techniques and references for further information. It recommends the following techniques: Threat modeling to look for design-level security issues Automated testing for consistency and to minimize human effort Static code scanning to look for top bugs Heuristic tools to look for possible hardcoded secrets Use of built-in checks and protections "Black box" test cases Code-based structural test cases Historical test cases Fuzzing Web app scanners, if applicable Address included code (libraries, packages, services) The document does not address the totality of software verification, but instead, recommends techniques that are broadly applicable and form the minimum standards. The document was developed by NIST in consultation with the National Security Agency (NSA). Additionally, we received input from numerous outside organizations through papers submitted to a NIST workshop on the Executive Order held in early June 2021, discussion at the workshop, as well as follow up with several of the submitters.