Recommended Minimum Standards for Vendor or Developer Verification (Testing) of Software Under Executive Order (EO) 14028 - Background & Approach

To ensure that software is sufficiently safe and secure, the software must be designed, built, delivered, and maintained in accordance with best practices. Frequent and thorough testing by developers as early as possible in the software development life cycle (SDLC) is one critical practice. At its highest conceptual level, verification is a discipline employed to increase software security. Verification encompasses many static and active assurance techniques, tools, and related processes to identify and remediate security defects while continuously improving the methodology and supporting processes. They must be employed alongside other methods to achieve a high level of software security.

This webpage summarizes minimum standards recommended for verification by software vendors or developers. No single verification standard can encompass all types of software testing, be specific and prescriptive, and present efficient and effective testing. Thus, this document recommends high-level guidelines for software producers to create their own prescriptive processes.

These guidelines expand on NIST’s Secure Software Development Framework (SSDF) practices.  See especially Produce Well-Secured Software (PW) Practice 7, Review and/or Analyze Human-Readable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements, and PW Practice 8, Test Executable Code to Identify Vulnerabilities and Verify Compliance with Security Requirements. 

Previous Sections:

• Introduction

Next Sections:

• Recommended Minimum Standard for Vendor or Developer Verification of Code
• FAQs