Standards provide the basis for demonstrating compliance with laws, policies, and regulatory guidelines.
Synopsys DevSecOps tools and services can help organizations comply with laws, regulatory guidance, policies, and standards related to application security (AppSec), software quality, data protection, and privacy. Avoid exploits by finding and fixing weaknesses and vulnerabilities using DevSecOps tools that provide detailed reports listing the specific rules and categories of each standard that the tools address.
To help raise the bar for software security and stay informed about the latest security issues, Synopsys employees serve or have served as subject matter experts for the committees, boards, working groups, programs, and projects related to AppSec standards, policies, and regulatory guidelines listed below.
The is a nonprofit organization comprised of original equipment manufacturers (OEMs), suppliers, service providers, government entities, and individuals in academia who work collaboratively to improve quality and reduce costs and complexity in the automotive supply chain. AIAG membership includes leading global manufacturers, parts suppliers, and service providers.
The is an industry-driven community that shares and analyzes intelligence about emerging cyber security risks to vehicles and collectively enhances vehicle cyber security capabilities across the global automotive industry, including light- and heavy-duty vehicle OEMs, suppliers, and the commercial vehicle sector. Auto-ISAC defines best practices that are well adopted among OEMs.
is a worldwide development partnership of vehicle manufacturers, suppliers, service providers, and companies from the automotive electronics, semiconductor, and software industries. AUTOSAR standards are used heavily in safety-critical automotive and aircraft applications.
The defines a standard architecture and API that ensures interoperability across vendor components. It distinguishes on the highest abstraction level between three software layers that run on a microcontroller: application, runtime environment, and basic software. The develop and maintain the Classic Platform.
The for high-performance computing engine control units (ECUs) implements the AUTOSAR runtime for adaptive applications (ARA). The two types of interfaces include services and APIs. The develop and maintain the Adaptive Platform.
AUTOSAR works closely with ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.
AUTOSAR and MISRA announced that their industry standard for best practice in C++ will be integrated into one publication.
The is a community-driven nonprofit responsible for CIS Controls and CIS Benchmarks, globally recognized best practices for securing information technology (IT) systems and data.
are consensus-developed, secure configuration guidelines for hardening of the cloud, operating systems, phone devices, applications, and middleware. Developed by cyber security professionals and subject matter experts, CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia. The develops and updates secure configuration guidelines for technology families.
is a virtual place to network and collaborate with cyber security professionals from around the world. Activities include helping to draft configuration recommendations for the CIS Benchmarks, submitting tickets, and discussing best practices to secure a wide range of technologies.
The is an industry leadership group that develops international standards to automate the measurement of software size and structural quality from the source code. CISQ standards enable organizations that develop or acquire software-intensive systems to measure the operational risk software poses to the business, as well as estimate the cost of ownership.
CISQ was co-founded by:
include software engineering, security, and quality management professionals and senior leadership responsible for major mission-critical systems from global enterprises, system integrators, service providers, software technology vendors, and public sector institutions. The CISQ roadmap includes the development of new standards, certification programs, and deployment activities to advance the state of practice in software engineering. CISQ sponsors participate in and influence standards development, including the identification of CISQ projects.
The sets the program direction, including the roadmap for standards development and publication of technical guidance. CISQ projects include the following:
The study groups of the assemble experts from around the world to develop international standards known as ITU-T recommendations that act as defining elements in the global infrastructure of information and communication technologies (ICTs).
ITU-T SG 17 adopted the framework initiative that imports best-of-breed standards for platforms developed by government agencies and industry to enhance cyber security and infrastructure protection. The ITU-T CYBEX X.1500 standard series includes:
CVE, CWE, and CAPEC are sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is operated by MITRE.
are global organizations authorized to assign CVE IDs to vulnerabilities that affect products within their distinct, agreed-upon scope for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and IT vendors.
The is comprised of numerous cyber security¨Crelated organizations and provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE list.
members include technical implementers, subject matter experts, and advocates who provide critical input regarding domain coverage, coverage goals, operating structure, and strategic direction for the CWE and CAPEC lists.
The is an international standards organization that prepares and publishes international standards for all electrical, electronic, and related technologies.
IEC develops many standards through joint technical committees including:
The is a technical professional organization dedicated to advancing technology for the benefit of humanity.
The IEEE Standards Association (IEEE SA) is a consensus-building organization that nurtures, develops, and advances global technologies through IEEE by bringing together a broad range of individuals and organizations to facilitate standards development and standards-related collaboration.
The IEEE SA corporate program facilitates the exploration of new standards opportunities at IEEE, supporting the development of projects around the full life cycle of standards. Its international presence allows for a broad-based focus on new work areas and programs.
The under the IEEE Reliability Society (RS) brings researchers and practitioners together for interdisciplinary collaborations among academia, industry, and government agencies, including both private and public sectors in areas such as software engineering, communications and networking, computer visions, artificial intelligence and machine learning, cyber-physical systems, testing, validation, and formal verification.
The ) is the U.S. forum dedicated to creating technology standards for the next generation of innovation. combine their expertise to create the building blocks for globally transformative technologies, from cloud computing to communications, from transportation to healthcare.
INCITS serves as the for ISO/IEC Joint Technical Committee 1. A U.S. TAG is a committee accredited by the to participate in ISO/IEC technical activities. ANSI-accredited U.S. TAGs include the range of U.S. parties interested in and affected by specific ISO/IEC standards.
The is a professional nonprofit association that develops widely used global standards, certifies industry professionals, provides education and training, publishes books and technical articles, hosts conferences and exhibits, and provides networking and career development programs for its global members and customers.
The brings together global industrial cyber security experts to develop ISA standards on industrial automation and control systems security. It draws on the input and knowledge of global industrial automation and control systems (IACS) security experts to develop consensus standards that are applicable to all industry sectors and critical infrastructure.
The ISA99 committee develops a series of standards adopted by the IEC including the series of standards, which provide a flexible framework to address and mitigate current and future security vulnerabilities in IACS.
The is an independent, nongovernmental, international organization of national standards bodies. Through its members, it brings together experts to share knowledge and develop voluntary, consensus-based, market-relevant international standards that support innovation and provide solutions to global challenges. ISO standards are developed by .
ISO/IEC technical committees for programming languages
The ISO/IEC is the international standardization subcommittee for programming languages, their environments, and system software interfaces. SC 22 is also known as the portability subcommittee. JTC 1/SC 22 has working groups (WGs) for various programming languages including:
ISO/IEC technical committee for IT, cyber security, and privacy protection
INCITS serves as the U.S. TAG to . codevelops standards for the protection of information and ICT including:
ISO/IEC technical committee for software and systems engineering
develops standards for processes, supporting tools, and supporting technologies for the engineering of software products and systems including systems and software assurance, which defines assurance-related terms and establishes an organized set of concepts and relationships to form a basis for shared understanding across user communities for assurance.
ISO technical committee for E/E components and general system aspects
develops standards for E/E components and cross-sectional specifications for E/E systems and components including:
The is a global advocate for technology. ITI promotes public policies and industry standards that advance competition and innovation worldwide. include the world's leading innovation companies.
The enables the standardization of electronic control systems and software for in-vehicle networks, thereby allowing industrywide common implementation, more efficient development, and increased reliability. Topics include E/E cyber security.
The works to define and validate the requirements of automotive cyber security technologies based on use cases, including projects like the ¡°A-CST-07-0003 Fuzzing Test Guide.¡±
The is a nonprofit organization that promotes network security standardization. JNSA is comprised of working groups including the , which undertakes survey activities and research on information security issues.
The helps develop the Japanese economy and industry by promoting economic vitality in private companies and advancing external economic relationships. METI also secures a stable and efficient supply of energy and mineral resources.
METI ensures security in the new supply chains (value creation processes) under the national policy by integrating cyber space and physical space, as well as the national policy for adding new value by connecting a variety of goods, industries, and people. METI develops the Cyber-Physical Security Framework (CPSF), an overview of required security measures.
The METI under the holds discussions on cyber-physical security measures to achieve security in the new supply chains under the Society 5.0 and Connected Industries policies. The discusses SBOM to identify problems and bring them to the foreground, especially vulnerability in the supply chain.
The Motor Industry Software Reliability Association (MISRA) is a collaboration between vehicle manufacturers, component suppliers, and engineering consultancies that seek to promote best practices for developing safety-related electronic systems in road vehicles and aircraft.
MISRA works closely with ISO/IEC JTC 1/SC 22/WG 14, the ISO C standards committee working group, and ISO/IEC JTC 1/SC 22/WG 21, the ISO C++ standards committee working group.
MISRA and AUTOSAR announced that their industry standard for best practice in C++ will be integrated into one publication.
The is a physical sciences laboratory and a nonregulatory agency of the U.S. Department of Commerce that promotes innovation and industrial competitiveness.
U.S. policies are created when the Office of Management and Budget (OMB) takes executive orders and turns them into mandates or policies that point to the NIST special publications (SPs), including the for the computer security community such as , which provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations.
The NIST is a synthesis of interoperable specifications derived from community ideas. Part of the NIST SCAP uses the CVE, CWE and CAPEC lists.
The , located within the U.S. Department of Commerce, is the executive branch agency that is principally responsible by law for advising the President on telecommunications and information policy issues.
Stakeholders in collaborate in an open and transparent process to address transparency around software components and advocate for software transparency throughout the supply chain, including standards. An SBOM is a list of all the open-source and third-party components present in a codebase, the licenses that govern those components, the versions of the components used in the codebase, and their patch status.
The aims to set the standard for open collaboration. OASIS Open is where individuals, organizations, and governments come together to solve technical challenges through the development of open code and open standards.
The is an industry standard format for the output of static analysis tools. SARIF is an approved OASIS standard. It enables organizations in the safety and security communities to combine and compare the results from multiple competing tools more easily for a more accurate picture of their code issues.
members develop the SARIF interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.
(previously known as the Society for Automotive Engineers) is a global association of engineers and related technical experts that develops and publishes international standards for global transport industries such as aerospace, automotive, and commercial vehicles.
G-32 cyber-physical systems security committee
The develops documents that address CPSS intended for multisector, cross-industry use to address weaknesses and vulnerabilities of the system and system elements including software, firmware, and hardware. Cross-industry/sector active participation in the committee includes members from industries like aerospace, automotive, defense, medical devices, industrial control devices, IoT, and banking and finance, as well as government and academia.
Vehicle cyber security systems engineering committee
The WG TEVEES18A serving as the U.S. TAG to ISO, codevelops the Cyber Security Guidebook for Cyber-Physical Vehicle Systems (J3061). The ISO/SAE 21434 cyber security engineering standard for road vehicles builds upon SAE J3061 and provides a similar framework for the entire life cycle of road vehicles.
Data Link Connector vehicle security committee
The WG TEVDS20 develops:
The administers the development, promotion, and implementation of standards to meet the needs of industry and regulators. SMF-SDO is guided by the industry-led , which provides advice on the directions, policies, strategies, and priorities for the Singapore Standardisation Programme, managed by , the national standards body.
The identifies, develops, and promotes critical standards to support the growth of the manufacturing and general engineering sectors in Singapore. The MSC autonomous vehicle technical committee (AVTC) oversees the preparation of a new standard and includes the cyber security guidelines working group (WG3) that develops ¡°¡± to promote the safe and secure deployment of fully autonomous vehicles in Singapore.
UL (formerly Underwriters Laboratories) is a global safety consulting and certification company. UL helps companies demonstrate safety, enhance sustainability, strengthen security, deliver quality, manage risk, and achieve regulatory compliance.
UL 2900 is a series of standards that present general software cyber security requirements for network-connectable products (UL 2900-1), as well as requirements specifically for medical and healthcare systems (UL 2900-2-1), industrial control systems (UL 2900-2-2), and security and life safety signaling systems (UL 2900-2-3).
The is a certification program that evaluates the IoT security of network-connectable products and systems. UL CAP uses the UL 2900 series of standards.