Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Guidelines on Minimum Standards for Developer Verification of Software

Published

Author(s)

Paul E. Black, Vadim Okun, Barbara Guttman

Abstract

Executive Order (EO) 14028, Improving the Nation's Cybersecurity, 12 May 2021, directs the National Institute of Standards and Technology (NIST) to recommend minimum standards for software testing within 60 days. This document describes eleven recommendations for software verification techniques as well as providing supplemental information about the techniques and references for further information. It recommends the following techniques: • Threat modeling to look for design-level security issues • Automated testing for consistency and to minimize human effort • Static code scanning to look for top bugs • Heuristic tools to look for possible hardcoded secrets • Use of built-in checks and protections • "Black box" test cases • Code-based structural test cases • Historical test cases • Fuzzing • Web app scanners, if applicable • Address included code (libraries, packages, services) The document does not address the totality of software verification, but instead recommends techniques that are broadly applicable and form the minimum standards. The document was developed by NIST in consultation with the National Security Agency. Additionally, we received input from numerous outside organizations through papers submitted to a NIST workshop on the Executive Order held in early June, 2021 and discussion at the workshop as well as follow up with several of the submitters.
Citation
NIST Interagency/Internal Report (NISTIR) - 8397
Report Number
8397

Keywords

software assurance, verification, testing, static analysis, fuzzing, code review, software security.

Citation

Black, P. , Okun, V. and Guttman, B. (2021), Guidelines on Minimum Standards for Developer Verification of Software, NIST Interagency/Internal Report (NISTIR), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.IR.8397, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=933350 (Accessed June 29, 2022)
Created October 6, 2021