References & Citations
Computer Science > Software Engineering
Title: Guidelines on Minimum Standards for Developer Verification of Software
(Submitted on 27 Jul 2021 (v1), last revised 7 Oct 2021 (this version, v2))
Abstract: Executive Order (EO) 14028, "Improving the Nation's Cybersecurity", 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven recommendations for software verification techniques as well as providing supplemental information about the techniques and references for further information. It recommends the following techniques:
Threat modeling to look for design-level security issues
Automated testing for consistency and to minimize human effort
Static code scanning to look for top bugs
Heuristic tools to look for possible hardcoded secrets
Use of built-in checks and protections
"Black box" test cases
Code-based structural test cases
Historical test cases
Fuzzing
Web app scanners, if applicable
Address included code (libraries, packages, services)
The document does not address the totality of software verification, but instead, recommends techniques that are broadly applicable and form the minimum standards.
The document was developed by NIST in consultation with the National Security Agency (NSA). Additionally, we received input from numerous outside organizations through papers submitted to a NIST workshop on the Executive Order held in early June 2021, discussion at the workshop, as well as follow up with several of the submitters.
Submission history
From: Paul Black [view email][v1] Tue, 27 Jul 2021 14:33:17 GMT (150kb,D)
[v2] Thu, 7 Oct 2021 14:58:36 GMT (336kb,D)
Link back to: arXiv, form interface, contact.