Indeed, the practices refer heavily to the multiple frameworks listed above, indicating that this is a consolidation of existing best-practice recommendations.
As one of the co-authors, Murugiah Souppaya, of the computer security division of the Information Technology Laboratory (within NIST), put it, “The paper facilitates communications about secure software development practices among groups across different business sectors around the world by providing a common language that points back to the existing industry sectors specific practices.”
He added that this “common language” is meant to help them describe their current practices. “This will allow them to set their desired baseline and identify areas for improvement,” he said.
Of course, none of the existing frameworks has transformed software security so far. There are headlines daily about breaches enabled by vulnerabilities—sometimes rampant—in applications or devices controlled by software.
So even if the NIST Secure Software Development Framework is the best one yet, if organizations aren’t persuaded to invest the time and money to follow the recommendations, it is unlikely to generate even incremental, never mind transformational, improvements in software security.