NIST details software security assessment process
To help organizations manage the risk from attackers who take advantage of unmanaged software on a network, the National Institute of Standards and Technology has released a draft operational approach for automating the assessment of SP 800-53 security controls that manage software.
Attackers search for and exploit unauthorized or unmanaged software -- either for the content the software manages (i.e. personally identifiable information ) or as a platform from which to roam across a network. Software asset management (SWAM) reduces vulnerabilities by giving organizations visibility into the software running on all devices on their networks so they can better defend themselves.
SWAM identifies software currently on a network and compares it to an organization's software inventory to determine if its installation has been authorized. If not, it is assigned to a person or team for management and authorization.
The guidance uses a broad definition of software, including not only business software but software in operating systems, executables residing on a hard drive, mobile code, firmware, code in memory as well as software in security products such as firewalls, white-listing software and vulnerability scanners.
The majority of the draft details the step-by-step processes for adapting the SWAM Security Assessment Plan to meet a specific network's needs. It includes templates listing elements to be documented, the defect checks that should be applied and the responsibility for mitigation.
Automation Support for Security Control Assessments: Software Asset Management is the third volume in NIST's planned 13-volume series providing guidance on automation support for ongoing assessments.
Read the full draft here. Comments are due May 4.
Connect with the GCN staff on Twitter @GCNtech.