NIST Cybersecurity Framework and Static Code Analysis
The NIST Cybersecurity Framework was initially designed to protect critical infrastructure, defined as those systems so vital to the United States that the incapacity or destruction of them would have a debilitating impact on cybersecurity, national economic security, and national public health or safety. However, it can be used as voluntary guidance by any organization to apply the principles and best practices of risk management to improving security and resilience.
However, satisfying NIST cybersecurity framework requirements can be difficult and time-consuming. For that reason, we have provided an overview to help ensure that you have a strong cybersecurity framework.
What Is NIST
The National Institute of Standards and Technology — or NIST — is part of the U.S. Department of Commerce. It provides a cybersecurity framework that helps organizations to better understand and improve their management of cybersecurity risk.
Structure of the Framework
The NIST Cybersecurity Framework is composed of three components:
1. Framework Core provides a set of activities to achieve specific cybersecurity outcomes as well as references examples of guidance to achieve those outcomes.
2. Implementation Tiers describe an increasing degree of rigor and sophistication in cybersecurity risk management practices. Organizations should determine the desired Tier to ensure that:
- The selected level meets the organizational goals.
- The selected level is feasible to implement.
- The selected level reduces cybersecurity risk to an acceptable level.
3. Framework Profiles can be used to describe the current state or the desired target state of specific cybersecurity activities. The Current Profile indicates the cybersecurity outcomes that are currently being achieved. The Target Profile indicates the outcomes needed to achieve the desired cybersecurity risk management goals.
Once an organization has determined the appropriate implementation tier, and understands the gap between its current and target profiles, it can put plans in place to implement the activities from the framework core in order to move towards its target profile.
How Static Code Analysis Helps Improve Cybersecurity
There are many desirable outcomes (subcategories) contained with the framework core functions. Indeed, the activities that are needed to achieve these outcomes are not limited to the IT or engineering departments.
Software development has become an important activity within an increasing number of organizations, even where software is not the core product or service supplied by the business. Whether software is developed for internal applications, embedded in the final product, or the software itself is the final product, security needs to be built in from the start.
With two-thirds of security vulnerabilities attributed to ordinary coding errors, it is particularly important for these organizations to follow the guidance contained in the CIS Critical Security Controls for Effective Cyber Defense (CIS Controls) – a document that is extensively referenced from the NIST framework.
CIS Critical Security Controls
The most relevant section of CIS Controls for secure software development is CIS Control 18, Application Software Security, which recommends the following activities:
Establish secure coding practices (18.1)
Establishing secure coding practices means the adoption of a written coding standard for the programming language in use. With a static code analyzer — like Klocwork — you are able to apply and enforce well-established secure coding guidelines — such as CERT and CWE — to ensure that your devices and software are protected against cyberthreats.
Ensure software development personnel are trained in secure coding (18.6)
The best static analyzers provide developers with guidance on how to fix security issues. However, only Klocwork provides software development teams with a unique ‘connected desktop’ technology. This connected desktop delivers secure coding advice directly to developers as they code – effectively supplying continuous on-the-job training.
Apply static and dynamic code analysis tools (18.7)
Static application security testing (SAST) tools — such as Klocwork — perform static analysis on the pre-compiled source code. And, Klocwork’s sophisticated dataflow analysis will predict run-time failures even before the application is run. This means many issues are fixed at the earliest opportunity, even before the first dynamic test. This reduces rework cycle times and ultimately saves time and money.
See How Klocwork Can Help
See how Klocwork can help you develop devices with an effective cybersecurity process. Request a trial to learn firsthand.