Executive Order (EO) 14028, "Improving the Nation's Cybersecurity", 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven recommendations for software verification techniques as well as providing supplemental information about the techniques and references for further information. It recommends the following techniques: Threat modeling to look for design-level security issues Automated testing for consistency and to minimize human effort Static code scanning to look for top bugs Heuristic tools to look for possible hardcoded secrets Use of built-in checks and protections "Black box" test cases Code-based structural test cases Historical test cases Fuzzing Web app scanners, if applicable Address included code (libraries, packages, services) The document does not address the totality of software verification, but instead, recommends techniques that are broadly applicable and form the minimum standards. The document was developed by NIST in consultation with the National Security Agency (NSA). Additionally, we received input from numerous outside organizations through papers submitted to a NIST workshop on the Executive Order held in early June 2021, discussion at the workshop, as well as follow up with several of the submitters.
翻译:执行令(EO)14028,“改进国家网络安全”,2021年5月12日,指示国家标准和技术研究所(NIST)在60天内建议软件测试的最低标准;本文件介绍了11项软件核查技术建议,并提供了关于技术和参考进一步信息的补充信息;它建议采用下列技术:为寻找设计层面的安全问题而威胁建模;为一致性而自动测试,并尽量减少人类努力的代码扫描,以寻找最重的臭虫黑盒黑盒黑盒安全工具,以寻找可能的硬编码秘密; 使用内置检查和保护“黑盒”测试案件; 以代码为基础的结构测试案件; 代码为基础的结构测试案件; 历史测试案件,如适用的话包括代码(图书馆、软件包、服务); 文件没有涉及软件核查的全部,而是建议广泛适用和构成最低标准的技术; 由NIST与国家安全局(NSA)协商开发的文件; 此外,我们收到许多外部组织通过提交给NIST2021年6月初举行的行政命令问题讲习班的文件提供的投入,并在讲习班上提交若干份后续文件。