Hear Tidelift VP of Product, Lauren Hanford break down the four areas of the National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF).
This video clip comes from our on-demand webinar, how the NIST SSDF impacts open source software. In this webinar, Lauren and Senior Product Marketing Lead, Kanish Sharma discuss the NIST SSDF and how organizations can follow its guidance when they are building applications with open source software. You can watch the entire webinar on-demand here.
I've spent quite a bit of time digging into the framework itself, the way that it buckets things into these different areas. The examples that NIST has highlighted as good sensible practices for delivering on the ultimate outcome here: secure software. I think as a whole, the the framework is very sensible. I really love that they've recognized a lot of the hard work that organizations are already doing to get to that outcome of secure software. I think it's really interesting that they decided to lead with preparing the organization as a first point.
In really broad strokes, the way that I think of these buckets are, in the preparing the organization phase, you're really thinking about policies, requirements, roles and responsibilities within your organization. You're looking to get a shared foundation set up on the tools and practices that you're going to use, and setting up a secure environment overall, for great development to happen within.
When you move on to protecting the software, I think of this as a systems layer. That's when you get into things that are more about traceability. You're gonna see your software bills and materials start to show up here other ideas and concepts around provenance. How do we know artifacts are what they say they are? Do we have a clear, traceable record of what actually went out into the world?
The producing well secured software bucket is the day to day. What are the coding practices that are in place? How are your development teams interacting with compliance or risk teams, security, DevOps, DevSecOps, all of those sort of boots on the ground operational concepts.
The final bucket is responding to vulnerabilities. Everything up into this point has been described by NIST as best practices to get us to the place to minimize bad things from happening. But no matter what we all do, there will be moments when issues come up, and we need to tackle them. So this last bucket is about, what is the playbook when that happens, what's the plan going to be?
In general, my read on this framework is it's not looking for overnight miracles, which is good, right? Because this is going to be a journey for everybody. But I do think that it is setting us all up for our best chance of success with delivering secure software outcomes.
50 Milk St, 16th Floor, Boston, MA 02109