Pursuant to the United States’ Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, the National Institute of Standards and Technology (NIST) has released its new document with recommendations for software security testing during the process of software development. The report is intended to describe subset of minimum standards and suggestions from current information security industry best practices. These include: threat modeling to look for design level security issues, automated testing practices, static code analysis to identify bugs, scanning for hardcoded secrets exposed in the software, the use and analysis of randomized input known as “fuzzing,” web application scanners, supply chain verifications for included libraries and packages, zero information or so-called “Black Box” test cases, including built-in checks and protections, and code-based structural test cases. An extensive supplementary description of each technique, as well as standard references, is included in the document.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in