The National Institute of Standards and Technology (NIST) and the PCI Security Standards Council (PCI SSC) have recently announced complementary frameworks for secure software development. There are numerous mature, secure software lifecycle management methodologies and frameworks available that, when properly implemented and maintained, can produce secure software. In this blog, we interviewed Kevin Stine, Chief of the Applied Cybersecurity Division at NIST and Troy Leach, SVP, Engagement Officer at PCI SSC to learn more about the NIST and PCI SSC frameworks, respectively, why they were developed, and how they relate to each other.
What is the NIST Secure Software Development Framework (SSDF)? Why was it developed?
Kevin Stine: The NIST Secure Software Development Framework (SSDF), which is modeled after the Cybersecurity Framework, recommends a core set of high-level secure software development practices that can be integrated within each Software Development Lifecycle (SDLC) implementation. With the exception of the Secure Software Lifecycle (Secure SLC) standard developed by PCI Security Standards Council, few software development life cycle models explicitly address software security in detail. Therefore, to ensure that software being developed is well secured, the SDLC model needed to address secure software development practices. Recognizing this, NIST drafted and shared the SSDF for comment in June 2019. After extensive feedback, and many interactions with stakeholders in the community, we improved and finalized the SSDF in April 2020.
Why is now such an important time for the SSDF?
Kevin Stine: We recognized that there were three major factors which influenced our decision to develop the SSDF. First, with the continued increase in software vulnerabilities, there was a real opportunity to improve security. Secondly, it was important to be more responsive to development trends. Given the speed at which software is developed these days, we needed a more flexible approach to support faster development and speed-to-market for developers, while maintaining the integrity of protecting data. Finally, we needed to support different development methodologies to address software security in detail. Like the PCI SSC Software Security Framework, our approach provides similar flexibility to achieve good software security objectives.
What is the PCI SSC Software Security Framework (SSF)?
Troy Leach: The PCI SSC Software Security Framework is a collection of standards and associated certification programs that demonstrate good, consistent security to protect payment data. There are two standards that have been developed as part of this framework and were published in January 2019. The Secure Software Standard outlines security requirements and assessment procedures to help ensure payment software adequately protects the integrity and confidentiality of payment transactions and data. The Secure Software Lifecycle (Secure SLC) Standard outlines security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle.
Why was it a priority for the PCI SSC?
Troy Leach: PCI SSC established the SSF because software development practices have evolved over time, and the standards address these changes with an alternative approach for assessing software security. Modern software development requires objective-focused security to support more nimble development and update cycles than traditional software development practices. The PCI standards and programs of the SSF support this evolution in payment software practices. The framework provides flexibility to demonstrate protection of payment data regardless of the development methodology or software platform.
Why is Secure Software Lifecycle (Secure SLC) important?
Troy Leach: One of the most important aspects of the Secure SLC, and a consistent issue highlighted in recent compromises, is maintaining good software security, even as changes in software or security threats are introduced. This is especially true with the increased dependency on third-party software developers who may not know the expectations to protect payment data. The Secure SLC Standard helps achieve this by outlining security requirements and assessment procedures for software vendors to validate how they properly manage the security of payment software throughout the entire software lifecycle. The Secure SLC Standard sets out to address four main security objectives including software security governance, secure software engineering, secure software and data management, and security communications to stakeholders.
How do the NIST SSDF and PCI Secure SLC Standard align with each other?
Kevin Stine: Earlier this year, NIST published guidance on software security, titled “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF)”. The white paper, which was developed with input from several industry organizations, cites secure software development practices related to and further amplified by existing standards and approaches, such as the PCI Secure SLC Standard.
Troy Leach: The fact that our two frameworks align, as referenced in the SSDF, is an indication that they both contain fundamental security principles and objectives that support secure software, regardless of the type of software or the industry. For example, having well defined policy, assigned roles of accountability, an organizational commitment to security, tamper prevention, verification of software integrity, and risk modeling are all common expectations within both sets of objectives. While the software assessed may differ at times, having a similar approach with similar control objectives, provides a consistent roadmap for software developers and sets consistent expectations for the data being protected.
How does the industry benefit from these frameworks?
Kevin Stine: Any organization can benefit from the SSDF. Its use can help enable communications about secure software development practices among business owners, software developers, project managers and leads, and cybersecurity professionals within an organization. The secure software development practices included in the SSDF should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. And the common vocabulary that the SSDF provides makes it easier for software producers and software consumers to communicate with suppliers in acquisition processes and other management activities.
Troy Leach: Incorporating security throughout the lifecycle of software provides confidence to businesses that their software will adapt to new threats. Validation against the Secure SLC Standard illustrates to a customer that the software vendor has well defined processes in place to continuously monitor the security posture of the software against the ever-changing threat landscape, and to ensure that it remains resistant to attacks throughout its entire lifetime.
Where can people who are interested in software security get more information?
Kevin Stine: To learn more, download the SSDF white paper, “Mitigating the Risk of Software Vulnerabilities by Adopting a Secure Software Development Framework (SSDF),” on our website. There, you’ll also find other useful resources to help improve your organization’s approach to cybersecurity.
Troy Leach: You can learn more about the PCI SSC Secure Software Standard and Secure Software Lifecycle Standard by downloading these from our online Document Library. Other helpful resources include our PCI Software Security Framework FAQs, SSF At-A-Glance and Transitioning from PA-DSS to the PCI Software Security Framework documents.