Scribe Security, a software security company, has announced its support for the Secure Software Development Attestation Form issued by the Cybersecurity and Infrastructure Security Agency (CISA). The company's Software Trust Hub enables organizations to validate their commitment to secure Software Development Lifecycle (SDLC) practices in alignment with CISA's security standards. Scribe's attestation-based platform gathers and authenticates evidence, providing proof of adherence to CISA's security standards. This partnership aims to enhance software supply chain security and promote secure software development practices.
CISA is currently seeking additional comments on its Secure Software Development Attestation Common Form. The form will be used by federal agencies to obtain attestation from software developers regarding the security of their products. The revised draft includes updates such as the option for a third-party assessor organization to attest to the software producer's conformance and the CEO's ability to designate an employee to sign the attestation. The comment period is open until December 18, 2023.
CISA and federal agencies prioritize software security by improving vulnerability management and using software bill of materials (SBOMs). They seek to establish uniform parameters for tracking critical information to improve software security, including known vulnerabilities, mitigations, security patches, and approved software. A more robust software identifier ecosystem is needed for harmonized software identification, automation, inventory visibility, and broad adoption of SBOMs.
ISA/IEC 62443-4-1 is a secure product development lifecycle requirements standard. NIST developed the Secure Software Development Framework (SSDF) as a secure development framework. ISA/IEC 62443-4-1 can be used as a companion to SSDF to provide detailed guidance for its practices. Security must be considered early and in all aspects of product development. ISA/IEC 62443-4-1 was developed for industrial automation and control systems, while SSDF was developed for a broad set of industries. ISA/IEC 62443-4-1 can be used in conjunction with SSDF to achieve externally recognized certification.
[9ca6899a] [d6a267ac] [e86d7fd0]