DigiCert Joins NIST Framework To Boost Software Supply Chain & DevSecOps Security
As software supply chain attacks continue to rise, organizations need trusted, proven ways to harden their development environments. This project, sponsored by the U.S. Federal government, provides an independent evaluation of how to integrate leading technologies in a way that enhances software integrity and operational security, without favoring any particular vendor.
'Secure software development too often relies on fragmented tools that don't integrate well or scale across the software lifecycle,' said Tim Hollebeek, Vice President of Industry Standards at DigiCert. 'This project helps demonstrate how trusted technologies can work together to create a more cohesive, risk-based approach to DevSecOps, aligning with NIST's guidance while offering practical solutions to the market.'
The NCCoE's collaborative approach marks the first time these specific technologies have been brought together to form a comprehensive solution for secure software development, operations, and monitoring. The project stands out for its focus on applied, real-world implementations, going beyond theory to show how to achieve security and compliance goals using current tools and practices.
The public is encouraged to review and comment on the NIST SP 1800-44 Draft, now available online. Stakeholders are also invited to participate in an upcoming virtual event hosted by NIST on August 27, where project collaborators will discuss insights, implementation guidance, and community engagement opportunities.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Channel Post MEA
6 days ago
- Channel Post MEA
DigiCert Joins NIST Framework To Boost Software Supply Chain & DevSecOps Security
DigiCert has announced its participation in the National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE) project focused on Secure Software Development, Security, and Operations (DevSecOps) Practices. DigiCert joins 13 other technology collaborators, including Google, Microsoft, IBM, Palo Alto Networks, CyberArk, Dell Technologies, and GitLab, to help design and demonstrate integrated solutions that improve security across the software supply chain. As software supply chain attacks continue to rise, organizations need trusted, proven ways to harden their development environments. This project, sponsored by the U.S. Federal government, provides an independent evaluation of how to integrate leading technologies in a way that enhances software integrity and operational security, without favoring any particular vendor. 'Secure software development too often relies on fragmented tools that don't integrate well or scale across the software lifecycle,' said Tim Hollebeek, Vice President of Industry Standards at DigiCert. 'This project helps demonstrate how trusted technologies can work together to create a more cohesive, risk-based approach to DevSecOps, aligning with NIST's guidance while offering practical solutions to the market.' The NCCoE's collaborative approach marks the first time these specific technologies have been brought together to form a comprehensive solution for secure software development, operations, and monitoring. The project stands out for its focus on applied, real-world implementations, going beyond theory to show how to achieve security and compliance goals using current tools and practices. The public is encouraged to review and comment on the NIST SP 1800-44 Draft, now available online. Stakeholders are also invited to participate in an upcoming virtual event hosted by NIST on August 27, where project collaborators will discuss insights, implementation guidance, and community engagement opportunities.
Tahawul Tech
06-08-2025
- Tahawul Tech
How to navigate the transition to post-quantum cryptography
Security professionals worldwide are preparing for a major upgrade in the form of a migration to new post-quantum cryptographic standards as the era of quantum computing comes closer to reality. The U.S. National Institute of Standards and Technology (NIST) has been leading a standardisation process to transition from classical public-key cryptosystems to quantum-resistant alternatives. Governments and businesses can now plan their transition to post-quantum cryptography (PQC) to ensure long-term data security against quantum-enabled threats. However, this shift must be approached with caution to avoid unintended vulnerabilities. Recent research from the Technology Innovation Institute (TII)'s Cryptography Research Center (CRC) in Abu Dhabi and Polytechnic University of Turin highlights a key concern: solutions that rely on variants of computationally hard problems used in the design of PQC algorithms to enhance their performance or to provide added functionalities require additional scrutiny. An example is the Linear Code Equivalence (LCE), which plays a role in PQC signature schemes. The study, Don't Use it Twice! Solving Relaxed Linear Code Equivalence Problems warns that modifying computational problems, even slightly, can significantly change their complexity, sometimes making them solvable with today's technology. This is a caution to designers of new designs to double-check that tweaks they introduce don't lead to weaker security guarantees than intended. Lessons from the Linear Code Equivalence Problem LCE, a computational assumption consisting of two linear codes that are equivalent up to a linear transformation, has been studied by cryptanalysts and is used to construct secure cryptosystems like digital signatures. The research warns against using relaxed versions of LCE in cryptographic applications without rigorous security validation, which could lead to vulnerabilities. A key takeaway is that even for well-established hard problems, providing additional data, such as multiple instances of a problem that share the same secret, can make it easier for attackers to recover the secret information. This serves as a reminder to designers that seemingly minor adjustments to cryptographic structures can unintentionally reduce security. While the study highlights potential vulnerabilities, it by no means suggests abandoning PQC development. Instead, organizations should begin transitioning to quantum-safe cryptography while keeping in mind the importance of careful validation and measured adoption. For example, security practitioners should focus on rigorous cryptanalysis to assess the long-term security of any PQC scheme built on novel or modified computational problems. They must also avoid relying on less studied assumptions or at least approach them with skepticism to ensure that relaxations of problems don't introduce unintended vulnerabilities. The transition to PQC should be a gradual process, informed by ongoing cryptanalysis and contributions from the global cryptographic community. The process will also go through refinements as a natural part of its journey in the coming years. The Road Ahead The industry must navigate this shift with an understanding that cryptographic design is inherently iterative. New threats emerge and countermeasures must adapt accordingly. Governments and organizations embarking on their PQC migration journey must recognise that while PQC is still maturing, it presents an exciting opportunity to build a stronger, more resilient cryptographic foundation for the future. This opinion piece is authored by Dr. Víctor Mateu, Acting Chief Researcher, Cryptography Research Center at TII.
TECHx
15-07-2025
- TECHx
Kingston IronKey D500S USB Drive Gains FIPS 140-3 Validation
Home » Product Watch » Kingston IronKey D500S USB Drive Gains FIPS 140-3 Level 3 Validation Kingston Digital Europe Co LLP, a flash memory affiliate of Kingston Technology Company, announced that its IronKey™ D500S hardware encrypted USB flash drive has received NIST FIPS 140-3 Level 3 validation. The drive is designed and assembled in California and is the first FIPS 140-3 Level 3 validated drive with a TAA-compliant, trusted supply chain. The D500S features XTS-AES 256-bit encryption and meets the latest NIST security standard. Kingston revealed that all critical components, including the secure microprocessor, digitally signed firmware, NAND flash chips, and rugged zinc casing, comply with TAA and CMMC requirements. The company also reported that the drive offers anti-tampering protection and asset tracking with matching serial numbers. Additionally, Kingston highlighted the D500S's dual-partition option, allowing separate Admin and User secure areas with multi-password protection. The drive includes features like Global Read-Only mode and Crypto-Erase to secure data in sensitive situations. It also meets military-grade shock and IP67 dust and water resistance standards. The D500S is available in capacities up to 512GB and comes with a five-year warranty and free technical support. Kingston's IronKey D500S is the world's first FIPS 140-3 Level 3 validated USB drive The drive is TAA and CMMC compliant with a trusted supply chain Features include dual partitions, rugged casing, and advanced security controls
