Skip to content ↓ | Skip to navigation ↓

A new initiative at the National Institute of Standards and Technology (NIST) is designed to emphasize the most widely recognized software engineering principles and bring them to bear to ease some of the challenges involved in information system security.

The effort seeks to encourage secure coding bets practices from the very beginning of development projects rather than trying to bolt-on security later in the development process, something security experts have been pleading for for many years.

Ron Ross, a NIST Fellow, points out that we require civil engineers to adhere to the principles of physics and engineering in order to build reliable and safe structures, and so we should similarly require systems and software engineers to approach development with the same level of attention to building them as securely as possible.

“We need to have the same confidence in the trustworthiness of our IT products and systems that we have in the bridges we drive across or the airplanes we fly in,” said Ross.

NIST has embarked on a four-stage process to generate comprehensive security guidelines based on international standards for systems and software engineering, and has made available the first draft, Systems Security Engineering: An Integrated Approach to Building Trustworthy Resilient Systems, for public comment.

“The current draft—and the first stage of the planned process—describes the fundamentals of systems security engineering, elements and concepts and covers 11 core technical processes in systems and software development,” NIST stated.

“Later public drafts will add material in supporting appendices, for example, on principles of security, trustworthiness and system resilience; use case scenarios; and important nontechnical processes such as risk management and quality control procedures. NIST expects to publish the final, complete version of the engineering guidelines by December 2014.”

Public comments on the current draft are requested by July 11, 2014, and should be sent to sec-cert@nist.gov.