Wind River Secure Development Lifecycle
With the ongoing menace of bad actors threatening national security, corporate data, and valuable intellectual property, the need for secure software development has never been more critical. The recent Presidential Executive Order 14028 outlining the implementation of secure software supply chains has set a new standard for ensuring the integrity and safety of digital products. At the heart of this initiative is the Secure Software Development Framework (SSDF), provided by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-218.
The Threat Landscape
Cyber adversaries and opportunistic criminals constantly seek vulnerabilities in digital technologies to exploit, jeopardizing the confidentiality, integrity, and availability of sensitive information. The rising incidents of data breaches and cyber-attacks that regularly make sensational news highlight the risks to security, profit, and reputation.
Recognizing the urgency of fortifying the nation's cyber defenses, the US President issued an Executive Order aimed at securing software supply chains. This directive emphasized the implementation of rigorous security measures throughout the software development lifecycle, with a focus on adherence to the NIST SP 800-218 guidelines. The Executive Order serves as a rallying cry for organizations to prioritize cybersecurity and adopt practices that mitigate the risk of supply chain attacks.
The Secure Software Development Framework (SSDF)
At the core of the Executive Order's requirements lies the SSDF, a comprehensive approach to software development that integrates security measures at every stage. Unlike traditional development processes that tack on security as an afterthought, the SSDF prioritizes security from the inception of a project, through design, implementation, test, deployment, and maintenance. At each step, security protocols are diligently followed, ensuring that the final product is and continues to be resilient to potential cyber threats.
These guidelines provide a comprehensive framework for developing secure software, addressing key aspects such as threat modeling, secure coding practices, and continuous monitoring. To comply with the executive order, organizations must adhere to the NIST SP 800-218 guidelines and provide attestation of conformance as a qualification for use in the federal government.
To illustrate, say a contractor with the US Federal government is creating a software platform for a military avionics use case. By adhering to the NIST guidelines, the company engages in rigorous threat modeling, identifying potential vulnerabilities and devising countermeasures. Secure coding practices are employed throughout the development process, reducing the likelihood of exploitable weaknesses. Continuous monitoring ensures that the application remains secure even after deployment. This proactive approach to security, as advocated by NIST SP 800-218, goes beyond mere compliance – it establishes a culture of resilience against cyber threats.
Wind River Secure Development Lifecycle (SDL)
To confront this ongoing threat and to continue to deliver trusted products and services, Wind River has established alignment with NIST SP 800-218 publication “Secure Software Development Framework (SSDF)” across our products. Our Secure Development Lifecycle (SDL) is aligned with NIST 800-218 principles: prepare the organization, protect the software, produce well-secured software, and respond to vulnerabilities.
Industries beyond aerospace and defense and countries outside the US benefit, as all companies face cybersecurity risks. By employing these industry-leading practices in developing our software, all Wind River customers gain assurance that the products they receive from Wind River have been developed with security designed into every step of the way.
Wind River offers Secure Software Development Conformance statements to customers, to assure conformance to the SSDF. These statements provide customers with supply chain and component assurance that supports their industry-specific integrations, compliances, and certifications across many SDL standards and industries.
About the author
Monty Forehand is Director, R&D Security Office at Wind River