NIST Special Publication 800-160

I have recently been asked a lot about the NIST process mentioned in an earlier post. In a nutshell, NIST was working on a paper describing (software) security as a holistic approach, deeply embedding a security mindset into traditional systems engineering patterns with the goal of building secure and resilient systems, instead of bolting security on in a later stage of the game.

NIST has meanwhile published more current draft materials ( ). At this time, the link points to a draft dated May 2014. The draft was released about six months ago, and NIST 800-160 starts to pick up with the industry. I had numerous inquiries from major HP customers asking questions on HP’s internal security processes in context of NIST 800-160, and how HP is proactively dealing with security threats not yet known while the product is being built. The language of the requests with terms such as “resiliency”, “trustworthiness”, and “build security in” strongly resemble the language NIST and the Department of Homeland Security have chosen in their publications around software that should be able to not only withstand known attacks, but also be ready to resist new threats or possibly even actively defend against them.

John Diamant is an HP Distinguished Technologist and secure product development strategist in HP. He has done a lot of work on how to design security into a product, and with HP’s Comprehensive Applications Threat Analysis (CATA), John has created a great toolkit to automate parts of the security requirements and threat analysis.

John is working a lot with the US public sector, and he certainly sees a lot of the feedback HP receives around the NIST and DHS security initiatives. He has some very interesting comments on how to create secure and resilient software, and how a Secure Software Development Lifecycle (SSDLC) program fits into this: