NIST 500-268 is a document published by the US National Institute of Standards and Technology. It defines the minimum capabilities expected from source code security analysers.
Software assurance tools play a crucial role in identifying security weaknesses and vulnerabilities at all stages of the software development lifecycle. NIST source code security analysers (sometimes abbreviated to NIST code analysers) leverage static analysis to scan software applications to identify potential security weaknesses early in the development process, and hence prevent vulnerabilities.
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a non-regulatory agency of the United States Department of Commerce. NIST serves as a cornerstone of the U.S. scientific and technological infrastructure, supporting innovation and advancement in numerous fields.
The NIST Cybersecurity Framework (CSF) is a set of guidelines, best practices, and standards developed by the National Institute of Standards and Technology (NIST) to help organizations manage and improve their cybersecurity posture.
The CSF provides a flexible and voluntary framework based on existing standards, guidelines, and practices for organizations to manage and mitigate cybersecurity risk. It consists of three main components:
CSF Core
The Core consists of five primary functions: Identification, Protection, Detection, Response, and Recovery. The five Core Functions are subdivided into a total of 23 Categories.
CSF Implementation Tiers
The Implementation Tiers provide organizations with a framework to assess and communicate their cybersecurity maturity level, ranging from basic awareness and ad-hoc practices to dynamic, proactive risk management capabilities.
CSF Organisational Profiles
The CSF organizational profiles offer a means for organizations to align their cybersecurity activities with their business requirements, risk tolerance, and available resources, aiding in the customization and implementation of the NIST Cybersecurity Framework.
NIST Special Publication (SP) 500-268, titled “Source Code Security Analysis Tool Functional Specification,” provides guidelines for the functionality of source code security analysis tools. These tools are used to identify vulnerabilities and weaknesses in software source code to enhance its security. The document specifies the requirements and features that such tools should possess to effectively analyse source code for security issues.
Generally, the document requires that tools are capable of reporting software weaknesses in source code, identifying their type and location while minimising the incorrect identification of weaknesses where there are none (“false positives”).
NIST 500-268 is not classified as a core component within the NIST Cybersecurity Framework. It is part of the broader collection of publications and resources provided by NIST to support the cybersecurity efforts promoted by the framework.
NIST 500-268 focuses specifically on source code security analysers and their role within the broader NIST cybersecurity framework is as a component of an organization’s overall cybersecurity strategy. This is how SP 500-268 aligns with the framework:
In summary, NIST SP 500-268 helps organizations effectively manage cybersecurity risks associated with software development and maintenance in accordance with the principles of general cybersecurity framework.
The relationship between NIST SP 500-268 and CWE lies in their complementary roles in software security. NIST SP 500-268 provides guidelines for the functionality of tools that can help identify security issues in source code, while CWE provides a standardized vocabulary and taxonomy for describing these security weaknesses. Software security analysis tools, guided by the specifications outlined in NIST SP 500-268, leverage CWE to categorize and report identified vulnerabilities, enabling organizations to prioritize and address them effectively.
NIST 500-268 describes security weaknesses that source code security analysis tools are designed to detect and mitigate. NIST 500-268 calls out several categories of weaknesses, and maps specific examples to their respective CWE listing.
CWE-80 Basic XSS: Scripting elements like <,>, & not sanitized before sending to web components.
CWE-99 Resource Injection: Raw user input may allow restricted file name or ports to be opened.
CWE-78 OS Command Injection: Allows users to modify commands or arguments, allowing malicious users to run commands that are otherwise not available.
CWE-89 SQL Injection: SQL syntax allowed in user input can result in data loss, exposure, modification, or arbitrary code execution.
CWE-121 Stack-based Buffer Overflow: Often a local variable buffer on the stack is overwritten out of bounds resulting in arbitrary code execution or an infinite loop.
CWE-122 Heap-based Buffer Overflow: Often a malloc()-ed buffer on the heap is overwritten out of bounds resulting in arbitrary code execution or an infinite loop.
CWE-134 Format String Vulnerability: User supplied string arguments can lead to buffer overflows, denial of service or data representation problems.
CWE-170 Improper Null Termination: Null being omitted due to an off-by-one or bad strncpy() call can lead to data exposure, execution errors, or arbitrary code execution.
CWE-259 Hard-Coded Password: Hard coded passwords are easy to steal and share, while being difficult to detect and recover, can result in insecure data and/or loss of product and account.
CWE-367 Time-of-Check Time-of-Use Race Condition: A resource’s state can change check and use can cause invalid actions when the resource is in an unexpected state.
CWE-391 Unchecked Error Condition: Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed. [Planned for deprecation see alternatives below].
CWE-248 Uncaught Exception: may cause crashes or expose sensitive information.
CWE-252 Unchecked Return Value: can prevent unexpected states detection.
CWE-1069 Empty Exception Block: can prevent the product from running reliably. If reachable by an attacker, then reliability might introduce a vulnerability.
CWE-401 Memory Leak: Improper release of memory can lead to unexpected behaviour or denial of service.
CWE-412 Unrestricted Critical Resource Lock: can lead to an indefinite denial of service.
CWE-415 Double Free: Can corrupt memory management and lead to crashes or buffer overflow attacks.
CWE-416 Use After Free: Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CWE-457 Uninitialized Variable: Using a variable that has not been initialized leads to unpredictable or unintended results.
CWE-468 Unintentional Pointer Scaling: Improper scaling in pointer math can lead to buffer overflows.
CWE-476 Null Dereference: Caused by errors or race conditions and results in a crash or exit.
CWE-489 Leftover Debug Code: Pose security risks because they are not considered during design or testing and fall outside of the expected operating conditions of the product.
Both the TBvision component of the LDRA tool suite and the LDRArules point product provide key capabilities to implement NIST 500-268.
LDRA’s tools provide key capabilities to implement NIST 500-268.
The LDRA tool suite performs static source code analysis to detect violations of common coding and security standards, including all mentioned in the list above. The ability to generate custom standards and user defined rules enables organizations to tailor analysis to address specific security concerns. LDRA offers integrations with IDE’s, version control system, and automated build systems allowing automation of detection and artifact generation. This enables coding standard enforcement, code reviews and helps developers learn to write more secure and reliable code.
Email: info@ldra.com
EMEA: +44 (0)151 649 9300
USA: +1 (855) 855 5372
INDIA: +91 80 4080 8707