Standards provide the basis for demonstrating compliance with laws, policies, and regulatory guidelines.
Black Duck DevSecOps tools and services can help organizations comply with laws, regulatory guidance, policies, and standards related to application security (AppSec), software quality, data protection, and privacy. Avoid exploits by finding and fixing weaknesses and vulnerabilities using DevSecOps tools that provide detailed reports listing the specific rules and categories of each standard that the tools address.
To help raise the bar for software security and stay informed about the latest security issues, Black Duck employees serve or have served as subject matter experts for the committees, boards, working groups, programs, and projects related to AppSec standards, policies, and regulatory guidelines.
The Automotive Industry Action Group (AIAG) is a nonprofit organization comprised of original equipment manufacturers (OEMs), suppliers, service providers, government entities, and individuals in academia who work collaboratively to improve quality and reduce costs and complexity in the automotive supply chain. AIAG membership includes leading global manufacturers, parts suppliers, and service providers.
The Automotive Information Sharing and Analysis Center (Auto-ISAC) is an industry-driven community that shares and analyzes intelligence about emerging cyber security risks to vehicles and collectively enhances vehicle cyber security capabilities across the global automotive industry, including light- and heavy-duty vehicle OEMs, suppliers, and the commercial vehicle sector. Auto-ISAC defines best practices that are well adopted among OEMs.
Automotive Open System Architecture (AUTOSAR) is a worldwide development partnership of vehicle manufacturers, suppliers, service providers, and companies from the automotive electronics, semiconductor, and software industries. AUTOSAR standards are used heavily in safety-critical automotive and aircraft applications.
The AUTOSAR Classic Platform defines a standard architecture and API that ensures interoperability across vendor components. It distinguishes on the highest abstraction level between three software layers that run on a microcontroller: application, runtime environment, and basic software. The AUTOSAR Classic Platform Working Groups develop and maintain the Classic Platform.
The AUTOSAR Adaptive Platform for high-performance computing engine control units (ECUs) implements the AUTOSAR runtime for adaptive applications (ARA). The two types of interfaces include services and APIs. The AUTOSAR Adaptive Platform Working Groups develop and maintain the Adaptive Platform.
AUTOSAR works closely with ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.
AUTOSAR and MISRA announced that their industry standard for best practice in C++ will be integrated into one publication.
The Center for Internet Security (CIS) is a community-driven nonprofit responsible for CIS Controls and CIS Benchmarks, globally recognized best practices for securing information technology (IT) systems and data.
CIS Benchmarks are consensus-developed, secure configuration guidelines for hardening of the cloud, operating systems, phone devices, applications, and middleware. Developed by cyber security professionals and subject matter experts, CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The CIS Benchmarks community develops and updates secure configuration guidelines for technology families.
CIS WorkBench is a virtual place to network and collaborate with cyber security professionals from around the world. Activities include helping to draft configuration recommendations for the CIS Benchmarks, submitting tickets, and discussing best practices to secure a wide range of technologies.
The Consortium for Information and Software Quality (CISQ) is an industry leadership group that develops international standards to automate the measurement of software size and structural quality from the source code. CISQ standards enable organizations that develop or acquire software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership.
CISQ was co-founded by:
CISQ members and sponsors include software engineering, security, and quality management professionals and senior leadership responsible for major mission-critical systems from global enterprises, system integrators, service providers, software technology vendors, and public sector institutions. The CISQ roadmap includes the development of new standards, certification programs, and deployment activities to advance the state of practice in software engineering. CISQ sponsors participate in and influence standards development, including the identification of CISQ projects.
The CISQ governing board sets the program direction, including the roadmap for standards development and publication of technical guidance. CISQ projects include the following:
The study groups of the International Telecommunication Union (ITU) Telecommunication Standardization Sector (ITU-T) assemble experts from around the world to develop international standards known as ITU-T recommendations that act as defining elements in the global infrastructure of information and communication technologies (ICTs).
ITU-T SG 17 adopted the Cybersecurity Information Exchange (CYBEX) framework initiative that imports best-of-breed standards for platforms developed by government agencies and industry to enhance cyber security and infrastructure protection. The ITU-T CYBEX X.1500 standard series includes:
CVE, CWE, and CAPEC are sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is operated by MITRE.
CVE numbering authorities (CNAs) are global organizations authorized to assign CVE IDs to vulnerabilities that affect products within their distinct, agreed-upon scope for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and IT vendors.
The CVE board is comprised of numerous cyber security–related organizations and provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE list.
CWE/CAPEC board members include technical implementers, subject matter experts, and advocates who provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction for the CWE and CAPEC lists.
The International Electrotechnical Commission (IEC) is an international standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies.
IEC develops many standards through joint technical committees including:
The Institute of Electrical and Electronics Engineers (IEEE) is a technical professional organization dedicated to advancing technology for the benefit of humanity.
The IEEE Standards Association (IEEE SA) is a consensus-building organization that nurtures, develops, and advances global technologies through IEEE by bringing together a broad range of individuals and organizations to facilitate standards development and standards-related collaboration.
The IEEE SA corporate program facilitates the exploration of new standards opportunities at IEEE, supporting the development of projects around the full life cycle of standards. Its international presence allows for a broad-based focus on new work areas and programs.
The IEEE technical committee on electric and autonomous vehicles (TC-EAV) under the IEEE Reliability Society (RS) brings researchers and practitioners together for interdisciplinary collaborations among academia, industry, and government agencies, including both private and public sectors in areas such as software engineering, communications and networking, computer visions, artificial intelligence and machine learning, cyber-physical systems, testing, validation, and formal verification.
The International Committee for Information Technology Standards (INCITS) is the U.S. forum dedicated to creating technology standards for the next generation of innovation. INCITS members combine their expertise to create the building blocks for globally transformative technologies, from cloud computing to communications, from transportation to healthcare.
INCITS serves as the U.S. Technical Advisory Group (TAG) for ISO/IEC Joint Technical Committee 1. A U.S. TAG is a committee accredited by the American National Standards Institute (ANSI) to participate in ISO/IEC technical activities. ANSI-accredited U.S. TAGs include the range of U.S. parties interested in and affected by specific ISO/IEC standards.
The International Society of Automation (ISA) is a professional nonprofit association that develops widely used global standards, certifies industry professionals, provides education and training, publishes books and technical articles, hosts conferences and exhibits, and provides networking and career development programs for its global members and customers.
The ISA99 committee brings together global industrial cyber security experts to develop ISA standards on industrial automation and control systems security. It draws on the input and knowledge of global industrial automation and control systems (IACS) security experts to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
The ISA99 committee develops a series of standards adopted by the IEC including the ISA/IEC 62443 series of standards, which provide a flexible framework to address and mitigate current and future security vulnerabilities in IACS.
The International Standards Organization (ISO) is an independent, nongovernmental, international organization of national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges. ISO standards are developed by ISO technical committees.
ISO/IEC technical committees for programming languages
The ISO/IEC Joint Technical Committee 1 (JTC 1) Subcommittee 22 (SC 22) is the international standardization subcommittee for programming languages, their environments, and system software interfaces. SC 22 is also known as the portability subcommittee. JTC 1/SC 22 has working groups (WGs) for various programming languages including:
ISO/IEC technical committee for IT, cyber security, and privacy protection
INCITS serves as the U.S. TAG to ISO/IEC JTC 1/SC 27 for information security, cyber security, and privacy protection. ISO/IEC JTC 1/SC 27/WG 3 security evaluation, testing and specification codevelops standards for the protection of information and ICT including:
ISO/IEC technical committee for software and systems engineering
ISO/IEC JTC 1/SC 7 for software and systems engineering develops standards for processes, supporting tools, and supporting technologies for the engineering of software products and systems including ISO/IEC/IEEE 15026 systems and software assurance, which defines assurance-related terms and establishes an organized set of concepts and relationships to form a basis for shared understanding across user communities for assurance.
ISO technical committee for E/E components and general system aspects
ISO/TC 22/SC 32 for electrical and electronic (E/E) components and general system aspects develops standards for E/E components and cross-sectional specifications for E/E systems and components including:
The Information Technology Industry Council (ITI or ITI-C) is a global advocate for technology. ITI promotes public policies and industry standards that advance competition and innovation worldwide. ITI members include the world's leading innovation companies.
The Japan Automotive Software Platform and Architecture (JASPAR) enables the standardization of electronic control systems and software for in-vehicle networks, thereby allowing industrywide common implementation, more efficient development, and increased reliability. Topics include E/E cyber security.
The JASPAR cyber security technical working group works to define and validate the requirements of automotive cyber security technologies based on use cases, including projects like the “A-CST-07-0003 Fuzzing Test Guide.”
The Japan Network Security Association (JNSA) is a nonprofit organization that promotes network security standardization. JNSA is comprised of working groups including the Survey and Research Committee IoT security working group, which undertakes survey activities and research on information security issues.
The Ministry of Economy, Trade, and Industry (METI) helps develop the Japanese economy and industry by promoting economic vitality in private companies and advancing external economic relationships. METI also secures a stable and efficient supply of energy and mineral resources.
METI ensures security in the new supply chains (value creation processes) under the national Society 5.0 policy by integrating cyber space and physical space, as well as the national Connected Industries policy for adding new value by connecting a variety of goods, industries, and people. METI develops the Cyber-Physical Security Framework (CPSF), an overview of required security measures.
The METI WG 1 for systems, technologies, and standardization cross-disciplinary subworking group under the industrial cyber security study group holds discussions on cyber-physical security measures to achieve security in the new supply chains under the Society 5.0 and Connected Industries policies. The Task Force for Examining Software Management Methods for Ensuring Cyber-Physical Security discusses SBOM to identify problems and bring them to the foreground, especially vulnerability in the supply chain.
The Motor Industry Software Reliability Association (MISRA) is a collaboration between vehicle manufacturers, component suppliers, and engineering consultancies that seek to promote best practices for developing safety-related electronic systems in road vehicles and aircraft.
MISRA works closely with ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.
MISRA and AUTOSAR announced that their industry standard for best practice in C++ will be integrated into one publication.
The National Institute of Standards and Technology (NIST) is a physical sciences laboratory and a nonregulatory agency of the U.S. Department of Commerce that promotes innovation and industrial competitiveness.
U.S. policies are created when the Office of Management and Budget (OMB) takes executive orders and turns them into mandates or policies that point to the NIST special publications (SPs), including the NIST SP 800 series for the computer security community such as NIST SP 800-161 Supply Chain Risk Management Practices for Federal Information Systems and Organizations, which provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.
The NIST Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Part of the NIST SCAP uses the CVE, CWE and CAPEC lists.
The National Telecommunications and Information Administration (NTIA), located within the U.S. Department of Commerce, is the executive branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues.
Stakeholders in NTIA software component transparency working groups collaborate in an open and transparent process to address transparency around software components and advocate for software transparency throughout the supply chain, including SBOM standards. An SBOM is a list of all the open-source and third-party components present in a codebase, the licenses that govern those components, the versions of the components used in the codebase, and their patch status.
The Organization for the Advancement of Structured Information Standards (OASIS) aims to set the standard for open collaboration. OASIS Open is where individuals, organizations, and governments come together to solve technical challenges through the development of open code and open standards.
The Static Analysis Results Interchange Format (SARIF) is an industry standard format for the output of static analysis tools. SARIF is an approved OASIS standard. It enables organizations in the safety and security communities to combine and compare the results from multiple competing tools more easily for a more accurate picture of their code issues.
OASIS SARIF technical committee members develop the SARIF interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.
SAE International (previously known as the Society for Automotive Engineers) is a global association of engineers and related technical experts that develops and publishes international standards for global transport industries such as aerospace, automotive, and commercial vehicles.
G-32 cyber-physical systems security committee
The G-32 cyber-physical systems security committee develops documents that address CPSS intended for multisector, cross-industry use to address weaknesses and vulnerabilities of the system and system elements including software, firmware, and hardware. Cross-industry/sector active participation in the committee includes members from industries like aerospace, automotive, defense, medical devices, industrial control devices, IoT, and banking and finance, as well as government and academia.
Vehicle cyber security systems engineering committee
The vehicle cyber security systems engineering committee WG TEVEES18A serving as the U.S. TAG to ISO, codevelops the Cyber Security Guidebook for Cyber-Physical Vehicle Systems (J3061). The ISO/SAE 21434 cyber security engineering standard for road vehicles builds upon SAE J3061 and provides a similar framework for the entire life cycle of road vehicles.
Data Link Connector vehicle security committee
The Data Link Connector vehicle security committee WG TEVDS20 develops:
The Singapore Manufacturing Federation Standards Development Organisation (SMF-SDO) administers the development, promotion, and implementation of standards to meet the needs of industry and regulators. SMF-SDO is guided by the industry-led Singapore Standards Council, which provides advice on the directions, policies, strategies, and priorities for the Singapore Standardisation Programme, managed by Enterprise Singapore, the national standards body.
The manufacturing standards committee (MSC) identifies, develops, and promotes critical standards to support the growth of the manufacturing and general engineering sectors in Singapore. The MSC autonomous vehicle technical committee (AVTC) oversees the preparation of a new standard and includes the cyber security guidelines working group (WG3) that develops “Technical Reference 68 for Autonomous Vehicles – Part 3 (TR 68 – 3): Cyber Security Principles and Assessment Framework” to promote the safe and secure deployment of fully autonomous vehicles in Singapore.
UL (formerly Underwriters Laboratories) is a global safety consulting and certification company. UL helps companies demonstrate safety, enhance sustainability, strengthen security, deliver quality, manage risk, and achieve regulatory compliance.
UL 2900 is a series of standards that present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).
The UL cyber security assurance program (UL CAP) is a certification program that evaluates the IoT security of network-connectable products and systems. UL CAP uses the UL 2900 series of standards.