funsec mailing list archives
standards for security in software
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 7 Apr 2009 21:39:12 -0400
Below is the section of S.773 mandating that NIST establish "measurable and auditable cybersecurity standards" for systems and networks. Do standards along these lines exist already? I guess I'd be surprised if nothing like this exists, but the only ones I'm aware of don't have a lot of real world-relevance, like C1 and B certifiability. Some of it is already in place or at least being worked on, like the standard configurations (see http://www.eweek.com/c/a/Security/Standardizing-the-Federal-Desktop/) or the vulnerability specification stuff. Do others think the other elements and the big picture of this is practical? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ <http://security.eweek.com/> http://blogs.pcmag.com/securitywatch/ <http://blogs.pcmag.com/securitywatch/> Contributing Editor, PC Magazine larry.seltzer () ziffdavisenterprise com <mailto:larry.seltzer () ziffdavisenterprise com> SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE. (a) IN GENERAL. Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal government, government contractor, or grantee critical infrastructure information systems and networks in the following areas: (1) CYBERSECURITY METRICS RESEARCH. The Director of the National Institute of Standards shall establish a research program to develop cybersecurity metrics and benchmarks that can assess the economic impact of cybersecurity. These metrics should measure risk reduction and the cost of defense. The research shall include the development automated tools to assess vulnerability and compliance. (2) SECURITY CONTROLS. The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks. (3) SOFTWARE SECURITY. The Institute shall establish standards for measuring the software security using a prioritized list of software weaknesses known to lead to exploited and exploitable vulnerabilities. The Institute will also establish a separate set of such standards for measuring security in embedded software such as that found in industrial control systems. (4) SOFTWARE CONFIGURATION SPECIFICATION LANGUAGE. The Institute shall, establish standard computer-readable language for completely specifying the configuration of software on computer systems widely used in the Federal government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks. (5) STANDARD SOFTWARE CONFIGURATION. The Institute shall establish standard configurations consisting of security settings for operating system software and software utilities widely used in the Federal government, by government contractors and grantees, and in private sector owned critical infrastructure information systems and networks. (6) VULNERABILITY SPECIFICATION LAN4GUAGE.The Institute shall establish standard computer-readable language for specifying vulnerabilities in software to enable software vendors to communicate vulnerability data to software users in real time. (7) NATIONAL COMPLIANCE STANDARDS FOR ALL SOFTWARE. (A) Protocol. The Institute shall establish a standard testing and accreditation protocol for software built by or for the Federal government, its contractors, and grantees, and private sector owned critical infrastructure information systems and networks. to ensure that it (i) meets the software security standards of paragraph (2); and (ii) does not require or cause any changes to be made in the standard configurations described in paragraph (4). (B) COMPLIANCE. The Institute shall develop a process or procedure to verify that (i) software development organizations comply with the protocol established under subparagraph (A) during the software development process; and (ii) testing results showing evidence of adequate testing and defect reduction are provided to the Federal government prior to deployment of software. (b) CRITERIA FOR STANDARDS. Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles. (c) INTERNATIONAL STANDARDS. The Director, through the Institute and in coordination with appropriate Federal agencies, shall be responsible for United States representation in all international standards development related to cybersecurity, and shall develop and implement a strategy to optimize the United States' position with respect to international cybersecurity standards. (d) COMPLIANCE ENFORCEMENT. The Director shall (1) enforce compliance with the standards developed by the Institute under this section by software manufacturers, distributors, and vendors; and (2) shall require each Federal agency, and each operator of an information system or network designated by the President as a critical infrastructure information system or network, periodically to demonstrate compliance with the standards established under this section. (e) FCC NATIONAL BROADBAND PLAN. In developing the national broadband plan pursuant to section 6001(k) of the American Recovery and Reinvestment Act of 2009, the Federal Communications Commission shall report on the most effective and efficient means to ensure the cybersecurity of commercial broadband networks, including consideration of consumer education and outreach programs.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- standards for security in software Larry Seltzer (Apr 07)
- Re: standards for security in software Jon Kibler (Apr 07)
- Re: standards for security in software Donal (Apr 07)
- Re: standards for security in software Jon Kibler (Apr 07)