* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://origin-researchcenter.paloaltonetworks.com/blog/corporate/)
* [Announcement](https://origin-researchcenter.paloaltonetworks.com/blog/category/announcement/)
* Enhancing the Security of...

# Enhancing the Security of Software Development Environments

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2022%2F04%2Fsoftware-development-standards%2F)  
[](https://twitter.com/share?text=Enhancing+the+Security+of+Software+Development+Environments&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2022%2F04%2Fsoftware-development-standards%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2F2022%2F04%2Fsoftware-development-standards%2F&title=Enhancing+the+Security+of+Software+Development+Environments&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/2022/04/software-development-standards/&ts=markdown)  
\[\](mailto:?subject=Enhancing the Security of Software Development Environments)  
Link copied  
By [Coleman Mehta](https://www.paloaltonetworks.com/blog/author/coleman-mehta/?ts=markdown "Posts by Coleman Mehta") and [Chandan B.N.](https://www.paloaltonetworks.com/blog/author/chandan-b-n/?ts=markdown "Posts by Chandan B.N.")  
Apr 06, 2022  
5 minutes  
[Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown)  
[Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[Cortex Xpanse](https://www.paloaltonetworks.com/blog/tag/cortex-xpanse/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Government](https://www.paloaltonetworks.com/blog/tag/government2/?ts=markdown)  
[NIST](https://www.paloaltonetworks.com/blog/tag/nist/?ts=markdown)  
[SLED](https://www.paloaltonetworks.com/blog/tag/sled/?ts=markdown)  
[Supply Chain](https://www.paloaltonetworks.com/blog/tag/supply-chain/?ts=markdown)

In May of 2021, President Biden issued an unprecedented [Executive Order on Improving the Nation's Cybersecurity](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/) as a blueprint for federal agencies and private sector partners to improve their cybersecurity posture. Following high-profile incidents like the [SolarStorm](https://www.paloaltonetworks.com/blog/2020/12/solarwinds-statement-solarstorm/) supply chain attack, the order prioritized critical areas for securely modernizing federal IT infrastructure.

Among other directives, the Executive Order requires government agencies to purchase only software that meets secure development standards to protect government data. To support the Executive Order, the National Institute of Standards and Technology (NIST) issued [guidance](https://www.nist.gov/news-events/news/2022/02/nist-issues-guidance-software-iot-security-and-labeling) in February of 2022 to provide federal agencies with best practices for enhancing the security of the software supply chain. Two sets of guidance were released by NIST: the Secure Software Development Framework (SSDF) and the companion Software Supply Chain Security Guidance.

The Executive Order directs the U.S. Office of Management and Budget (OMB) to take appropriate steps to require that agencies comply with the NIST guidelines within 30 days. This means that federal agencies must begin adopting the SSDF and related guidance immediately while customizing it to the agency's risk profile and mission. Vendors who supply software to the U.S. government will soon also have to [attest](https://www.whitehouse.gov/omb/briefing-room/2022/03/07/omb-statement-on-enhancing-the-security-of-federally-procured-software/) to meeting these guidelines.

## Components of the NIST Guidelines

In developing the guidelines, NIST gathered extensive input from technology professionals and other federal agencies through the solicitation of papers and virtual workshops, including [input](https://www.nist.gov/system/files/documents/noindex/2021/06/08/Palo%20Alto%20Networks%20-%20NIST%20Position%20Paper%20on%20Standards%20and%20Guidelines%20to%20Enhance%20Software%20Supply%20Chain%20Security.pdf) from Palo Alto Networks. Let's look at some of the components of the NIST guidelines:

* The [SSDF](https://csrc.nist.gov/Projects/ssdf) encompasses secure software development best practices from organizations such as the Business Software Alliance (BSA), the Open Web Application Security Project (OWASP) and SAFECode. These best practices aim to protect the software development infrastructure, reduce the number of vulnerabilities in software during development and continually respond to any newly found risks by addressing the root causes to prevent recurrences.
* [The Software Supply Chain Security Guidance](https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/software-supply-chain-security-guidance) provides recommendations to federal agencies for purchasing software exclusively from organizations that follow a risk-based approach to development.
* These recommendations are intended to help agencies get the necessary information from software producers in a form that can help guide risk-based decisions. The recommendations span many types of software, along with firmware, operating systems, applications and application services, among others.

## Our Commitment to Customers Through Product Integrity

At Palo Alto Networks, the security of our customers and the integrity of our solutions are our highest priorities. We are committed to a rigorous and secure Zero Trust development environment for ourselves and our customers. In addition to state-of-the-art tools and techniques to detect any inadvertent vulnerabilities in code, these measures include:

* Performing security reviews and threat modeling early in the [software development lifecycle](https://www.paloaltonetworks.com/cyberpedia/sdlc-software-development-lifecycle).
* Protecting all endpoints and systems used in software development with [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr) along with continuous monitoring to detect and respond to anomalies with [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar).
* Securing cloud infrastructure and applications early in development through continuous integration and continuous delivery (CI/CD) workflows.
* Scanning infrastructure-as-code (IaC) templates, container images, serverless functions and more to identify vulnerabilities, misconfigurations and compliance violations. With centralized visibility and policy controls, engineering teams can secure their full stack without leaving their tools, while security teams can ensure that only secure code is deployed.
* Using [Prisma Cloud Compute](https://www.paloaltonetworks.com/prisma/cloud) to protect all cloud deployments throughout the application lifecycle.
* Managing vulnerabilities and dependencies in open source repositories, to build a software bill-of-materials (SBOM) of the packages in use for vetting; verify security of dependencies against open source and proprietary databases; and assist in remediation.
* Ensuring Identity and Access Management (IAM) so that only those that should have access, do have access to your supply chain and source code, and no one else.
* Inventorying and managing internet-facing systems assets with [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse) based on attackers' views of the internet. Attack surface management helps to account for shadow IT discovery, malicious exploit call-outs or other unauthorized internet-facing connections.

Additionally, we undertake a number of internal processes to ensure the integrity of our own products, which include software and firmware signing, secure updates, signature verification and additional oversight. We institute restrictions on who scopes and defines source code changes, reviewing new source code with a hierarchy of oversight and ensuring a "chain of custody" throughout development, testing and quality assurance processes. Our approach standardizes the software development, deployment, delivery and operation pipeline to ensure there are sufficient and necessary security controls in all phases.

Altogether, this is unified security for DevOps and security teams.

## Working Together for Secure Development Environments

Our mission at Palo Alto Networks is to be the cybersecurity partner of choice, protecting today's digital way of life. We support the Executive Order on Improving the Nation's Cybersecurity and the subsequent guidance from NIST. In fact, NIST published a [case study](https://www.paloaltonetworks.com/blog/2020/06/policy-supply-chain-best-practices/) highlighting Palo Alto Networks end-to-end supply chain risk management practices in 2020. We look forward to working with our federal partners to meet these coming attestation requirements and continuing to serve as a trusted ally to help secure development standards. Contact the Palo Alto Networks [federal team](https://www.paloaltonetworks.com/industry/federal#public-sector-contact-form) for additional information.

*** ** * ** ***

## Related Blogs

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)

[#### What's Next in Cortex - New Wave of Innovations in Cortex (June 2024 Release)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/whats-next-in-cortex-new-wave-of-innovations-in-cortex-june-2024-release/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Internet Operations Management for the Department of Defense](https://origin-researchcenter.paloaltonetworks.com/blog/2022/12/internet-operations-management/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### New Grant Program Is a Game-Changer for State and Local Governments](https://origin-researchcenter.paloaltonetworks.com/blog/2022/09/new-cybersecurity-grant-program-is-a-game-changer/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### Palo Alto Networks Alignment to the UK NCSC Cyber Assessment Framework](https://origin-researchcenter.paloaltonetworks.com/blog/2022/05/ncsc-cyber-assessment-framework/)

### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### NIST Selects Palo Alto Networks for Zero Trust Architecture Project](https://origin-researchcenter.paloaltonetworks.com/blog/2021/07/nist-nccoe-zero-trust-architecture/)

### [Government](https://www.paloaltonetworks.com/blog/category/government/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown)

[#### Palo Alto Networks Extends ISO 27001 Certifications](https://origin-researchcenter.paloaltonetworks.com/blog/2020/09/policy-iso-27001-certifications/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language