If you live in the world of Appsec, ever visit the realm of software development or know the landscape of DevOps security for example, then you understand and appreciate the NIST. In fact, you may have very well heard some of the chatter around here about this stalwart of security.

The NIST Cliff Notes Version

The NIST, for those of you who aren’t familiar, is the National List of Standards and Technology. The NIST is vital to security impacting people and businesses everywhere. In their own words, they state that, “… innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology.”

That is technology to define, empower and improve security measures for developers, engineers and businesses from every sector. That is a means of measurement to validate that security efforts are working and to enable testing to define weaknesses. Those standards are in essence the litmus test for any application seeking NIST certification.

In efforts to protect the aforementioned many who rely on the NIST, they stated that their mission and purpose is as follows:

“…to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”

That is a lofty goal and the NIST continues to strive toward making those ideals a reality. Evidence of that commitment and those ongoing efforts can be seen in the SAMATE project.

NIST Takes Aim with SAMATE

The NIST joined another formidable force in the security arena, namely the U.S. Department of Homeland Security, in creating the SAMATE project. The acronym stands for Software Assurance Metrics and Tool Evaluation.

This is the nuts and bolts of those testing and measurement tools mentioned earlier and this is taking security to the next level.

The SAMATE project is dedicated to the goal of improving software assurance through developing better methods to enable software tool evaluations. This will include measuring the effectiveness of tools and the security techniques employed. Finding and identifying any gaps in the tools or methods is the target of this arm of the project.

Developing those methods for testing and measuring is the other focus of the SAMATE project.

NIST Continues to Set Standards with SAMATE

Knowing what tools are needed for what job is necessary in any realm and that is only magnified in the security industry. Do your scanners and protocols read and understand the verbiage used by various coding languages. Will they run, without issue, on any platform or can they test and read cloud-based applications.

SAMATE is presented as a defining catalog specifying how software security assurance (SSA) tools are developed and the class of SSA tools along with their priority order and functioning capacities. This also includes setting the required functionality standards for these security tools.

These are by no means arbitrary standards either as NIST and the SAMATE project also develop metrics and tests to prove, assess and determine these functionalities. The bottom line is that an alarm that doesn’t sound, a fire extinguisher that doesn’t work or a security program that is highly vulnerable are all examples of security measures that don’t work. NIST and SAMATE work to ensure that they do.

NIST and SAMATE are Specific and Broad Ranging

The scope of the NIST and the SAMATE project is both specific and broad ranging. The NIST works with and in a myriad of industries, including some of the following:

  • Communication is always susceptible to data breach and information corruption. NIST works intimately with advanced communications to provide members of the public safety community a dedicated network.
  • Power distribution plants, hydroelectric dams, water treatment facilities and the many industries that rely on operational technologies (OT) require the strictest safety measures.
  • The medical community depends on measurements and standards that are accurate, reliable and most importantly effective. The technology and tools NIST has provided have promoted innovations in medicine and improved the medical community.

The SAMATE project is employed in a variety of means and to a variety of infrastructures, these are a few examples:

  • Operating systems employ tools to protect vulnerabilities and defend against corruption.
  • SCADA must defend the integrity of its control system architecture and safeguard networked data communications.
  • Web applications test and evaluate before using to prevent failing to known threats.

SAMATE is an intricate part in these and many other security processes. NIST has always been a vital part of the security landscape – and continues to be…

 “…because of its comprehensive approach to security, is being adopted across all industries. Organizations not adhering to it should quickly consider it as a way to develop their own security best practices.

Financial institutions, utilities companies, transportation organizations and others like them contribute to the smooth functioning of our government, and by extension, our society…they could become targets for cyber exploitation. The NIST Framework safeguards against this type of disruption with a codified set of security requirements that aims to avoid vulnerabilities.”

That was a clip taken from a recent Federal News Radio report and illuminates the seemingly tireless efforts of the NIST.

Here Today Safer Tomorrow

The NIST is older than any of us and has been setting the standard in security for a long time. SAMATE is NIST taking security to the next level. Since NIST is here today, that means we all will be a little safer tomorrow.