NIST Proposes Secure Software Development Framework

NIST proposes a Secure Software Development Framework to address software supply chain attacks

Applying software updates and patches as soon as possible is a cyber security best practice, but what if an update contains malicious code inserted by a hacker? Software supply chain attacks are a serious and growing problem for both private-sector organizations and the federal government. Among other incidents, Chinese nation-state hackers successfully breached numerous third-party contractors working for the U.S. Navy on multiple occasions over an 18-month period.

The Navy contractor attacks and similar incidents were the impetus for the federal government barring agencies from purchasing certain vendors’ software and hardware. However, these bans don’t address the root of the problem, which is that security must be baked into the software development lifecycle (SDLC) from the very beginning. This is why NIST has proposed a Secure Software Development Framework (NIST SSDF).

What’s in the NIST SSDF?

While there are many SDLC frameworks, few specifically address secure software development; they were designed to speed up and bring order to the development process, not ensure security. Instead, project managers are left to integrate secure development practices on their own.

The proposed NIST SSDF does not introduce any new practices. It curates high-level secure software development best practices from a number of existing sources. So that the framework is flexible, it does not specify how to implement its recommendations. Implementation will look different in every organization, as data environments, security objectives, and priorities greatly differ.

The proposed framework includes 19 best practices for secure software development, grouped under four categories.

Prepare the organization. The best practices in this category are about aligning the organization’s people, processes, and technology to build a strong foundation for secure software development. It outlines practices such as ensuring that security requirements for software development are known at all times so they can be taken into account throughout the SDLC; making sure that everyone involved in the SDLC knows what their roles and responsibilities are regarding secure development; and using automation to improve the accuracy, consistency, and comprehensiveness of security practices.

Protect the software. Software must be secured against tampering and unauthorized access, both intentional and accidental. The best practices in this category address how to secure source code for in-house projects and provide recommendations to aid end users in ensuring that the software they acquire is legitimate and has not been tampered with.

Produce well-secured software. The best practices in this category seek to maximize software security and minimize vulnerabilities in each release. Many developers have not been educated in secure development practices and end up unknowingly producing insecure code. In addition to addressing secure software development practices for in-house projects, it provides recommendations for verifying that third-party software meets security requirements.

Respond to vulnerability reports. This step focuses on identifying potential vulnerabilities in each successive release, addressing them, and preventing similar problems in future releases.

NIST hopes that the recommendations in the SSDF benefit both sellers and buyers in the software supply chain. Sellers who adopt secure software development practices will address the root causes of supply chain cyberattacks by minimizing potential vulnerabilities in each release and mitigating the impact of undiscovered vulnerabilities. Buyers can adapt these practices and incorporate them into their software acquisition processes.

The public comment period for the draft NIST SSDF began on June 11 and ends on August 5, 2019.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Your Guide to the PCI DSS Merchant Levels

Are you confused about which of the PCI DSS merchant levels applies to your company? Let’s clear things up.

Are you confused about which of the PCI DSS merchant levels applies to your company? Let’s clear things up.

If your organization processes, stores, or transmits cardholder data for the major credit card brands, you are required to be compliant with PCI DSS. While PCI DSS is not required by U.S. federal law – it is an industry standard mandated by the credit card companies – but some states have laws that refer to PCI DSS explicitly or contain equivalent mandated standards. Additionally, being found out of compliance can put your company in the crosshairs of the FTC.

Are you confused about which of the PCI DSS merchant levels applies to your company? Let’s clear things up.

The PCI DSS mandates that organizations follow 12 requirements, all categorized into one of six goals. Additionally, there are four PCI DSS merchant levels, which determine the type of validation an organization needs for their PCI DSS compliance. They are primarily determined according to a company’s risk profile and are as follows:

Merchant Level 1 applies to companies that handle more than six million Mastercard or Visa transactions annually. This merchant level also applies to companies that have experienced an attack resulting in compromised card data or that have been deemed a Level 1 by a card association.

Merchant Level 2 applies to companies that handle between one and six million Mastercard or Visa transactions annually.

Merchant Level 3 is for companies that handle between 20,000 and one million e-commerce Mastercard or Visa transactions annually.

Merchant Level 4 companies process (1) fewer than 20,000 Mastercard or Visa e-commerce transactions annually or (2) up to one million Mastercard or Visa transactions annually.

PCI DSS Merchant Level Validation Requirements

Levels 2 and 3 have very similar validation requirements:

  • An annual self-assessment using the applicable self-assessment questionnaire (SAQ)
  • A quarterly network scan by an approved scanning vendor (ASV)
  • An Attestation of Compliance form

Merchant Level 4 validation standards are dictated by the organization’s acquiring bank. Typically, the bank will require, at minimum, an annual SAQ and quarterly scans by an ASV.

Then, there’s Merchant Level 1. Because of the higher level of risk these companies pose, either due to dealing with a very large number of transactions or having previously been breached, they are not allowed to self-assess. In addition to a quarterly scan by an ASV and an Attestation of Compliance form, Merchant Level 1 companies must undergo an annual audit, known as a Level 1 onsite assessment, conducted by a certified PCI DSS Qualified Security Assessor (QSA) such as Lazarus Alliance.

The QSA evaluates the Merchant Level 1 company’s IT policies and procedures, payment applications, and card data network environment, compiling a detailed assessment of vulnerabilities and a list of improvements to prevent breaches. At the end of the audit process, the QSA prepares a Report on Compliance (ROC) to be submitted to the company’s acquiring bank. Before the ROC is submitted, the QSA works with the organization being audited to address any issues that were noted.

What happens if you breach a Merchant Level requirement?

If you breach a PCI DSS Merchant Level requirement, the card associations can punish your company by slotting it into a higher Merchant Level. It’s very important to correctly classify your company and ensure that you are using the correct validation process for your Merchant Level.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.