Threat Watch

NIST Releases Security Minimums for Developers

Pursuant to the United States’ Executive Order (EO) 14028, Improving the Nation’s Cybersecurity, the National Institute of Standards and Technology (NIST) has released its new document with recommendations for software security testing during the process of software development. The report is intended to describe subset of minimum standards and suggestions from current information security industry best practices. These include: threat modeling to look for design level security issues, automated testing practices, static code analysis to identify bugs, scanning for hardcoded secrets exposed in the software, the use and analysis of randomized input known as “fuzzing,” web application scanners, supply chain verifications for included libraries and packages, zero information or so-called “Black Box” test cases, including built-in checks and protections, and code-based structural test cases.  An extensive supplementary description of each technique, as well as standard references, is included in the document.


The document presents a number of details within several categories of best practices. Existing DevOps or SecDevOps programs are likely already executing these suggestions within the specifics of their own organizational requirements. As per the Executive Order, within the USA these minimums will quickly be required practices for software development conducted within or sold to USA governmental entities and contractors, including defense contractors and critical infrastructure providers, as well as their suppliers and subcontractors. Deadlines for compliance range from 30 days to 120 days. As such, they will likely cast a large shadow in terms of incentivizing current industry best practices in software development. EO 14028 will continue to affect the practice of information security within the USA in a number of different areas on an ambitious timeline. It is worth noting that NIST documents tend to establish a subset of suggestions and baseline minimums, and should not be taken as a comprehensive checklist of everything relevant to an organization’s software security in terms of internal development or software vendor practices.