Guidelines on Minimum Standards for Developer Verification ...

1 NISTIR 8397 Guidelines on Minimum Standards forDeveloper Verification of SoftwarePaul E. BlackBarbara GuttmanVadim OkunThis publication is available free of charge from: 8397 Guidelines on Minimum Standards forDeveloper Verification of SoftwarePaul E. BlackBarbara GuttmanVadim OkunSoftware and Systems DivisionInformation Technology LaboratoryThis publication is available free of charge from: Department of Commerce Gina M. Raimondo, Secretary National Institute of Standards and Technology James K. Olthoff, Performing the Non-Exclusive Functions and Duties of the Under Secretary of Commerce for Standards and Technology & Director, National Institute of Standards and Technology Certain commercial entities, equipment, or materials may be identified in this document in order to describean experimental procedure or concept adequately.

2 Such identification is not intended to implyrecommendation or endorsement by the National Institute of Standards and Technology, nor is it intended toimply that the entities, materials, or equipment are necessarily the best available for the publication is available free of charge from: Institute of Standards and Technology Interagency or Internal Report 8397 Natl. Inst. Stand. Technol. Interag. Intern. Rep. 8397, 33 pages (October 2021) AbstractExecutive Order (EO) 14028,Improving the Nation s Cybersecurity, 12 May 2021, di-rects the National Institute of Standards and Technology (NIST) to recommend minimumstandards for software testing within 60 days.

3 This document describes eleven recommen-dations for software Verification techniques as well as providing supplemental informationabout the techniques and references for further information. It recommends the followingtechniques: Threat modeling to look for design-level security issues Automated testing for consistency and to minimize human effort Static code scanning to look for top bugs Heuristic tools to look for possible hardcoded secrets Use of built-in checks and protections Black box test cases Code-based structural test cases Historical test cases Fuzzing Web app scanners, if applicable Address included code (libraries, packages, services)

4 The document does not address the totality of software Verification , but instead, recom-mends techniques that are broadly applicable and form the Minimum document was developed by NIST in consultation with the National Security Agen-cy (NSA). Additionally, we received input from numerous outside organizations throughpapers submitted to a NIST workshop on the Executive Order held in early June 2021,discussion at the workshop, as well as follow up with several of the assurance; Verification ; testing; static analysis; fuzzing; code review; InformationFor additional information on NIST s Cybersecurity programs, projects, and publica-tions, visit theComputer Security Resource Center.

5 Information on other efforts atNISTand in theInformation Technology Laboratory(ITL) is also document was written at the National Institute of Standards and Technology byemployees of the Federal Government in the course of their official duties. Pursuant toTitle 17, Section 105 of the United States Code, this is not subject to copyright protectionand is in the public would appreciate acknowledgment if this document is This publication is available free of charge from: authors particularly thank Fay Saydjari for catalyzing our discussion of scope; Vir-ginia Laurenzano for infusing DevOps Research and Assessments (DORA) principles intothe report and other material; Larry Wagoner for numerous contributions and comments;Steve Lipner for reviews and suggestions; David A.

6 Wheeler for extensive corrections andrecommendations; and Aurelien M. Delaitre, William Curt Barker, Murugiah Souppaya,Karen Scarfone, and Jim Lyle for their many thank the following for reviewing various codes, Standards , guides, and other mate-rial: Jessica Fitzgerald-McKay, Hialo Muniz, and Yann Prono. For the acronyms, glossary,and other content, we thank Matthew B. Lanigan, Nhan L. Vo, William C. Totten, and KeithW. thank all those who submitted position papers applicable for our area to our June2021 document benefited greatly from additional women and men who shared theirinsights and expertise during weekly conference calls between NIST and National SecurityAgency (NSA) staff: Andrew White, Anne West, Brad Martin, Carol A.

7 Lee, Eric Mosher,Frank Taylor, George Huber, Jacob DePriest, Joseph Dotzel, Michaela Bernardo, PhilipScherer, Ryan Martin, Sara Hlavaty, and Sean Weaver. Kevin Stine, NIST, also also appreciate contributions from Walter InformationAll registered trademarks or trademarks belong to their respective This publication is available free of charge from: of Contents1 Aspects of Verification Outline42 Recommended Minimum Standard for Developer , or Static, for Hardcoded with Language-Provided Checks and Box Test Test Test Web Application Check Included Software Components93 Background and Supplemental Information About : Built-in Language.

8 Memory-Safe : Coverage : : Web Application : Static : Human Reviewing for : Sources of Test : Top Supplemental: Checking Included Software for Known Vulnerabilities184 Beyond Software Software Development Software Installation and Operation Software Assurance Technology215 Documents Examined226 Glossary and Acronyms23 References23iii_____ This publication is available free of charge from: October 2021, we made many grammatical changes due to internal paperwork to obtaina Digital Object Identifier (DOI). While making those, we took the opportunity to also im-prove or correct text related to Interactive Application Security Testing (IAST) and updatethe name of an example This publication is available free of charge from: OverviewTo ensure that software is sufficiently safe and secure, software must be designed, built, de-livered, and maintained well.

9 Frequent and thorough Verification by developers as early aspossible in the software development life cycle (SDLC) is one critical element of softwaresecurity assurance. At its highest conceptual level, we may view Verification asa mentaldisciplineto increase software quality [1, p. 10]. As NIST s Secure Software Develop-ment Framework (SSDF) says, Verification is used to identify vulnerabilities and verifycompliance with security requirements [2, and ]. According to InternationalOrganization for Standardization (ISO)/ International Electrotechnical Commission (IEC)/Institute of Electrical and Electronics Engineers (IEEE) 12207:2017 [3, ] verifica-tion, which is sometimes informally called testing , encompasses many static and activeassurance techniques, tools, and related processes.

10 They must be employed alongside othermethods to ensure a high-level of software document recommends Minimum Standards of software Verification by softwareproducers. No single software security Verification standard can encompass all types ofsoftware and be both specific and prescriptive while supporting efficient and effective verifi-cation. Thus, this document recommends Guidelines for software producers to use in creat-ing their own processes. To be most effective, the process must be very specific and tailoredto the software products, technology ( , language and platform), toolchain, and develop-ment lifecycle model.