The National Academies Press

Currently Skimming:

9 The NIST Perspective on Software Updates
Pages 53-58

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 53... ... Black spoke about software updates from the agency's perspective, and both fielded questions in the discussion period. KEY CHALLENGES Black opened with a discussion of the multifaceted challenges to creating software update infrastructure. Read the entire page →
From page 54... ... Virtual machines, for example, can execute multiple operating system configurations, depending on their use, and would need all the corresponding software updates to remain secure. Building on a theme raised earlier in the workshop, Richard Danzig, Johns Hopkins University Applied Physics Laboratory, asked how the growth of cloud computing and machine learning might be affecting this landscape, in NIST's view. Read the entire page →
From page 55... ... Most software is licensed to a user instead of sold outright, in order to protect the maker's intellectual property rights. However, the licensing agreement doesn't set forth security requirements for the user. Read the entire page →
From page 56... ... Regarding the idea of a software inventory, suggested earlier in the workshop, Black suggested that such a mechanism would indeed be helpful in shedding light on the building blocks inside complicated software modules, and he noted that NIST is working on enabling a software identification tag (SWID) that could be complementary to this approach. Read the entire page →
From page 57... ... Very few software packages provide SWID ways to tags, because there aren't a lot of SWID tools out encourage there for them to use in the first place. To remedy this problem, NIST is producing tens of thousands of high-quality, SWID tags for existing packages to get them into wider circulation. Read the entire page →
From page 58... ... A recent NIST report, Dramatically Reducing Software Vulnerabilities,1 identifies specific technical methods such as proof-carrying code, well-analyzed frameworks, and potential update mismatches to improve software security, noted Black. Well analyzed frameworks, for example, enable updates to insert small bits of code around a framework, instead of updating an entire piece, thus increasing the security of updates. Read the entire page →

From page 53...

... Black spoke about software updates from the agency's perspective, and both fielded questions in the discussion period. KEY CHALLENGES Black opened with a discussion of the multifaceted challenges to creating software update infrastructure.

Read the entire page →

From page 54...

... Virtual machines, for example, can execute multiple operating system configurations, depending on their use, and would need all the corresponding software updates to remain secure. Building on a theme raised earlier in the workshop, Richard Danzig, Johns Hopkins University Applied Physics Laboratory, asked how the growth of cloud computing and machine learning might be affecting this landscape, in NIST's view.

Read the entire page →

From page 55...

... Most software is licensed to a user instead of sold outright, in order to protect the maker's intellectual property rights. However, the licensing agreement doesn't set forth security requirements for the user.

Read the entire page →

From page 56...

... Regarding the idea of a software inventory, suggested earlier in the workshop, Black suggested that such a mechanism would indeed be helpful in shedding light on the building blocks inside complicated software modules, and he noted that NIST is working on enabling a software identification tag (SWID) that could be complementary to this approach.

Read the entire page →

From page 57...

... Very few software packages provide SWID ways to tags, because there aren't a lot of SWID tools out encourage there for them to use in the first place. To remedy this problem, NIST is producing tens of thousands of high-quality, SWID tags for existing packages to get them into wider circulation.

Read the entire page →

From page 58...

... A recent NIST report, Dramatically Reducing Software Vulnerabilities,1 identifies specific technical methods such as proof-carrying code, well-analyzed frameworks, and potential update mismatches to improve software security, noted Black. Well analyzed frameworks, for example, enable updates to insert small bits of code around a framework, instead of updating an entire piece, thus increasing the security of updates.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

9 The NIST Perspective on Software Updates Pages 53-58

9 The NIST Perspective on Software Updates
Pages 53-58